From 07e38f7a9d7f188dfa565abb186eaf08c6f93dd9 Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Thu, 17 Apr 2003 12:07:32 +0000 Subject: Adding Mimir's edits. (This used to be commit c77c4e57dcecd6eeaadffe1b1f78483eaaa79217) --- docs/docbook/devdoc/gencache.sgml | 119 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 119 insertions(+) create mode 100644 docs/docbook/devdoc/gencache.sgml (limited to 'docs/docbook') diff --git a/docs/docbook/devdoc/gencache.sgml b/docs/docbook/devdoc/gencache.sgml new file mode 100644 index 0000000000..1ba2f77c9d --- /dev/null +++ b/docs/docbook/devdoc/gencache.sgml @@ -0,0 +1,119 @@ + + + + RafalSzczesniak + + April 2003 + + +General cache mechanism and API + + +Abstract + +General cache (gencache) was designed to combine various kinds of caching +mechanisms into one, defined by a simple API. This way, anyone can use it +to create their own caching layer on top of gencache. An example of +such approach is the netbios name cache. + + + + +The mechanism + +Gencache utilises tdb database, like many other +parts of Samba. As its origins are in Berkeley DB implementation, it +uses key/value pairs stored in binary file. The values gencache +operates on are string-based, however. This makes very easy to use it +in command line environment eg. to quickly take a look at what's in +the cache or set some value. + + + +All the data is stored in gencache.tdb +file. Records put there are in key/value format as mentioned below, +but as it's a cache, the timeout plays also important role and has a +special place in the key/value pair, as well as API. + + + + + +The data structure + +The record stored in gencache.tdb file consists +of the key, the value and the expiration timeout. While the first part +is stored completely independent from the others, the last two are +kept together. The form the record has is: + + + +key: <string&bt; +value: <12-digit timeout&bt;/<string> + + +The timeout part is the ASCII representation of +time_t value of the time when the cache entry +expires. Obviously the API, the programmer is provided with, hides this detail, +so that you don't have to care about checking it. Simply watch +carefully the return status of the function. + + + + +The API + + +BOOL gencache_init() + + +This is used to initialise to whole caching mechanism. It means +opening the file or creating it if non-existing. If it's already been +opened earlier, then the routine just does nothing and returns +true. If something goes wrong, say the user +doesn't have necessary rights, the function returns +false. + + +BOOL gencache_shutdown() + + +This is the proper way to close the cache file. It simply +returns true after successful closing file and +false upon a failure. + + +BOOL gencache_set(const char* keystr, const char* value, time_t timeout) + + +This is one of the most basic functions. What it allows you to +do is to set some particular cache entry. If the entry haven't +existed yet, the function will act just as it was "gencache_add" +function. If it's already been in the cache, the entry will be set to +the new value. In either case, the cache entry will be set with given +key, value and timeout. Thus it is comfortable way to just set the +entry and not care about the details. + + +BOOL gencache_set_only(const char* keystr, const char* value, time_t timeout) + + + +BOOL gencache_del(const char* keystr) + + + +BOOL gencache_get(const char* keystr, char** valstr, time_t* timeout) + + + +void gencache_iterate(void (*fn)(const char* key, const char *value, time_t timeout, void* dptr), + void* data, const char* keystr_pattern) + + + + +Writing your own caching layer + + + -- cgit From 800f68d2fbba2cc1727329c5c026e5a8165b9fd0 Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Thu, 17 Apr 2003 12:08:03 +0000 Subject: Small edits. (This used to be commit f75624dad4183748fcf31390e249b945716c333a) --- docs/docbook/projdoc/NT4Migration.sgml | 4 +++- docs/docbook/projdoc/passdb.sgml | 4 +--- 2 files changed, 4 insertions(+), 4 deletions(-) (limited to 'docs/docbook') diff --git a/docs/docbook/projdoc/NT4Migration.sgml b/docs/docbook/projdoc/NT4Migration.sgml index 3ff2fa1e7e..1f7371de36 100644 --- a/docs/docbook/projdoc/NT4Migration.sgml +++ b/docs/docbook/projdoc/NT4Migration.sgml @@ -14,7 +14,9 @@ Samba-3 based domain control. Planning and Getting Started -You must use at least the following ... + +You must use at least the following ... + Objectives diff --git a/docs/docbook/projdoc/passdb.sgml b/docs/docbook/projdoc/passdb.sgml index 762d77cd46..0de0376df8 100644 --- a/docs/docbook/projdoc/passdb.sgml +++ b/docs/docbook/projdoc/passdb.sgml @@ -450,9 +450,7 @@ include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/samba.schema - -## uncomment this line if you want to support the RFC2307 (NIS) schema -## include /etc/openldap/schema/nis.schema +include /etc/openldap/schema/nis.schema .... -- cgit From 30f3314a0f70bff6c447164a60463f10731c4805 Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Thu, 17 Apr 2003 16:08:22 +0000 Subject: Edits in progress. (This used to be commit c1dea19852d8eedf590323ac464f863eb3b92c83) --- docs/docbook/projdoc/Browsing-Quickguide.sgml | 26 +++++++++++ docs/docbook/projdoc/NT4Migration.sgml | 64 ++++++++++++++++++++++++++- 2 files changed, 88 insertions(+), 2 deletions(-) (limited to 'docs/docbook') diff --git a/docs/docbook/projdoc/Browsing-Quickguide.sgml b/docs/docbook/projdoc/Browsing-Quickguide.sgml index ed5b9a61af..d8df57dcb9 100644 --- a/docs/docbook/projdoc/Browsing-Quickguide.sgml +++ b/docs/docbook/projdoc/Browsing-Quickguide.sgml @@ -301,6 +301,32 @@ particularly not using it's own IP address. Specifying both will cause &nmbd; to refuse to start! + +WINS Replication + + +Samba-3 permits WINS replication through the use of the wrepld utility. +This tool is not currently capable of being used as it is still in active development. +As soon as this tool becomes moderately functional we will prepare man pages and enhance this +section of the documentation to provide usage and technical details. + + + + +Static WINS Entries + + +New to Samba-3 is a tool called winsedit that may be used to add +static WINS entries to the WINS database. This tool can be used also to modify entries +existing in the WINS database. + + + +The development of the winsedit tool was made necessary due to the migration +of the older style wins.dat file into a new tdb binary backend data store. + + + diff --git a/docs/docbook/projdoc/NT4Migration.sgml b/docs/docbook/projdoc/NT4Migration.sgml index 1f7371de36..3640c78942 100644 --- a/docs/docbook/projdoc/NT4Migration.sgml +++ b/docs/docbook/projdoc/NT4Migration.sgml @@ -15,16 +15,76 @@ Samba-3 based domain control. Planning and Getting Started -You must use at least the following ... +In the IT world there is often a saying that all problems are encountered because of +poor planning. The corrollary to this saying is that not all problems can be anticpated +and planned for. Then again, good planning will anticpate most show stopper type situations. + + + +Those wishing to migrate from MS Windows NT4 domain control to a Samba-3 domain control +environment would do well to develop a detailed migration plan. So here are a few pointers to +help migration get under way. Objectives -Blah blah objectives here. +The key objective for most organisations will be to make the migration from MS Windows NT4 +to Samba-3 domain control as painless as possible. One of the challenges you may experience +in your migration process may well be one of convincing management that the new environment +should remain in place. Many who have introduced open source technologies have experienced +pressure to return to a Microsoft based platform solution at the first sign of trouble. + + + +It is strongly advised that before attempting a migration to a Samba-3 controlled network +that every possible effort be made to gain all-round commitment to the change. Firstly, you +should know precisely why the change is important for the organisation. +Possible motivations to make a change include: + + + + + Improve network manageability + + + Obtain better user level functionality + + + Reduce network operating costs + + + Reduce exposure caused by Microsoft withdrawal of NT4 support + + + Avoid MS License 6 implications + + + Reduce organisation's dependency on Microsoft + + + + +It is vital that oit be well recognised that Samba-3 is NOT MS Windows NT4. Samba-3 offers +an alternative solution that is both different from MS Windows NT4 and that offers some +advantages compared with it. It should also be recognised that Samba-3 lacks many of the +features that Microsoft has promoted as core values in migration from MS Windows NT4 to +MS Windows 2000 and beyond (with or without Active Directory services). + +What are the features the Samba-3 can NOT provide? + + + + Active Directory Server + Group Policy Objects (in Active Direcrtory) + Machine Policy objects + Logon Scripts in Active Directorty + Software Application and Access Controls in Active Directory + + Steps In Migration Process -- cgit From 683bba2e8b0de88751622160a504a181b525812a Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Thu, 17 Apr 2003 17:25:24 +0000 Subject: Fix syntax errors (This used to be commit 0a55ff6738f9a8bdc480cb71c43e7372e45af216) --- docs/docbook/projdoc/PolicyMgmt.sgml | 2 +- docs/docbook/projdoc/samba-doc.sgml | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) (limited to 'docs/docbook') diff --git a/docs/docbook/projdoc/PolicyMgmt.sgml b/docs/docbook/projdoc/PolicyMgmt.sgml index a6c5ffa8e4..7557d496a4 100644 --- a/docs/docbook/projdoc/PolicyMgmt.sgml +++ b/docs/docbook/projdoc/PolicyMgmt.sgml @@ -195,12 +195,12 @@ exists with NT4 style policy files. Administration of Win2K / XP Policies + Instructions Instead of using the tool called "The System Policy Editor", commonly called Poledit (from the executable name poledit.exe), GPOs are created and managed using a Microsoft Management Console (MMC) snap-in as follows: - diff --git a/docs/docbook/projdoc/samba-doc.sgml b/docs/docbook/projdoc/samba-doc.sgml index c56255d13a..328287ee04 100644 --- a/docs/docbook/projdoc/samba-doc.sgml +++ b/docs/docbook/projdoc/samba-doc.sgml @@ -106,6 +106,5 @@ for various environments. &Diagnosis; &problems; &BUGS; -&MANUALPAGES; -- cgit From 1ac5abe51637c5a1150c19cdeba128ece5fd67f1 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Thu, 17 Apr 2003 18:58:53 +0000 Subject: Update SGML layout. (This used to be commit 934dbcb1ae47811cae69c3b0677ba89e4f8eabee) --- docs/docbook/samba.dsl | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'docs/docbook') diff --git a/docs/docbook/samba.dsl b/docs/docbook/samba.dsl index 7c530ce424..5a424a551f 100644 --- a/docs/docbook/samba.dsl +++ b/docs/docbook/samba.dsl @@ -68,7 +68,11 @@ ; === Books only === (define %generate-book-titlepage% #t) (define %generate-book-toc% #t) -(define ($generate-chapter-toc$) #f) ;; never generate a chapter TOC in books +(define %generate-part-toc% #f) +(define %generate-part-titlepage% #t) +(define %generate-chapter-toc% #f) +(define %number-screen-lines% #t) +(define %generate-partintro-on-titlepage% #f) ; === Articles only === (define %generate-article-titlepage% #t) -- cgit From c85cb325aa8e18ecf4685a271bb124768d25c7eb Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Thu, 17 Apr 2003 19:12:05 +0000 Subject: Fix syntax errors (This used to be commit c7f18b38e683bf3b341504e02af448ce13fad248) --- docs/docbook/manpages/net.8.sgml | 3 ++- docs/docbook/manpages/ntlm_auth.1.sgml | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) (limited to 'docs/docbook') diff --git a/docs/docbook/manpages/net.8.sgml b/docs/docbook/manpages/net.8.sgml index a22797845b..8ee965e3ed 100644 --- a/docs/docbook/manpages/net.8.sgml +++ b/docs/docbook/manpages/net.8.sgml @@ -208,7 +208,7 @@ Join a domain. If the account already exists on the server, and [TYPE] is MEMBER, the machine will attempt to join automatically. (Assuming that the machine has been created in server manager) Otherwise, a password will be prompted for, and a new account may -be created. +be created. [TYPE] may be PDC, BDC or MEMBER to specify the type of server @@ -224,6 +224,7 @@ using the old style of domain joining - you need to create a trust account in server manager first. + [RPC|ADS] USER diff --git a/docs/docbook/manpages/ntlm_auth.1.sgml b/docs/docbook/manpages/ntlm_auth.1.sgml index 08a7d4aa88..42a362cd41 100644 --- a/docs/docbook/manpages/ntlm_auth.1.sgml +++ b/docs/docbook/manpages/ntlm_auth.1.sgml @@ -1,7 +1,7 @@ %globalentities; ]> - + ntlm_auth @@ -41,6 +41,7 @@ OPTIONS + --helper-protocol=PROTO -- cgit From 3706db02165c555d37f566d26ea9d0984d5c2b59 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Thu, 17 Apr 2003 19:12:40 +0000 Subject: Always use DSSSL stylesheet (This used to be commit aee2c48c729c4c9d7187556a9fabc4becb4045dd) --- docs/docbook/Makefile.in | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) (limited to 'docs/docbook') diff --git a/docs/docbook/Makefile.in b/docs/docbook/Makefile.in index d594764c2c..e44108401d 100644 --- a/docs/docbook/Makefile.in +++ b/docs/docbook/Makefile.in @@ -82,21 +82,21 @@ html: # Text files $(TXTDIR)/Samba-HOWTO-Collection.txt: $(PROJDOC)/samba-doc.sgml - $(DOCBOOK2TXT) -o . $< + $(DOCBOOK2TXT) -d samba.dsl -o . $< mv ./samba-doc.txt $@ $(TXTDIR)/Samba-Developers-Guide.txt: $(DEVDOC)/dev-doc.sgml - $(DOCBOOK2TXT) -o . $< + $(DOCBOOK2TXT) -d samba.dsl -o . $< mv ./dev-doc.txt $@ # PostScript $(PSDIR)/Samba-HOWTO-Collection.ps: $(PROJDOC)/samba-doc.sgml - $(DOCBOOK2PS) -o . $< + $(DOCBOOK2PS) -d samba.dsl -o . $< mv ./samba-doc.ps $@ $(PSDIR)/Samba-Developers-Guide.ps: $(DEVDOC)/dev-doc.sgml - $(DOCBOOK2PS) -o . $< + $(DOCBOOK2PS) -d samba.dsl -o . $< mv ./dev-doc.ps $@ # Adobe PDF files @@ -110,19 +110,19 @@ $(PDFDIR)/Samba-Developers-Guide.pdf: $(HTMLDIR)/Samba-Developers-Guide.html # Single large HTML files $(HTMLDIR)/Samba-HOWTO-Collection.html: $(PROJDOC)/samba-doc.sgml - $(DOCBOOK2HTML) -u -o . $< + $(DOCBOOK2HTML) -d samba.dsl -u -o . $< mv ./samba-doc.html $@ $(HTMLDIR)/Samba-Developers-Guide.html: $(DEVDOC)/dev-doc.sgml - $(DOCBOOK2HTML) -u -o . $< + $(DOCBOOK2HTML) -d samba.dsl -u -o . $< mv ./dev-doc.html $@ $(HTMLDIR)/%.html: $(MANPROJDOC)/%.sgml - $(DOCBOOK2HTML) -u -o $(HTMLDIR) $< + $(DOCBOOK2HTML) -d samba.dsl -u -o $(HTMLDIR) $< $(MANDIR)/%: $(MANPROJDOC)/%.sgml - $(DOCBOOK2MAN) -o $(MANDIR) $< + $(DOCBOOK2MAN) -d samba.dsl -o $(MANDIR) $< $(PERL) scripts/strip-links.pl < $@ > $@.temp mv $@.temp $@ -- cgit From a4c20fc76b3fd2f1f7f0322b5b6d4520d6a95ebe Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Thu, 17 Apr 2003 19:56:52 +0000 Subject: Add notes on Japanese charsets from Monyo (This used to be commit 571e14bd07148d95e3e83167e83362bec0502d55) --- docs/docbook/projdoc/unicode.sgml | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) (limited to 'docs/docbook') diff --git a/docs/docbook/projdoc/unicode.sgml b/docs/docbook/projdoc/unicode.sgml index 2f794aadc2..42d2e1d50f 100644 --- a/docs/docbook/projdoc/unicode.sgml +++ b/docs/docbook/projdoc/unicode.sgml @@ -1,6 +1,12 @@ &author.jelmer; + + TAKAHASHIMotonobu + +
monyo@home.monyo.com
+ + 25 March 2003 @@ -99,4 +105,24 @@ filenames from CP850 to the iso8859-15 charset. + + +Japanese charsets + +Samba doesn't work correctly with Japanese charsets yet. Here are points of attention when setting it up: + + +You should set mangling method = hash +There are various iconv() implementations around and not all of +them work equally well. glibc2's iconv() has a critical problem in CP932. +libiconv-1.8 works with CP932 but still has some problems and does not +work with EUC-JP. +You should set dos charset = CP932, not Shift_JIS, SJIS... +Currently only unix charset = CP932 will work (but still has some problems...) because of iconv() issues. unix charset = EUC-JP doesn't work well because of iconv() issues. +Currently Samba 3.0 does not support unix charset = UTF8-MAC/CAP/HEX/JIS* + + +More information (in Japanese) is available at: http://www.atmarkit.co.jp/flinux/special/samba3/samba3a.html. + + -- cgit From 3291b9290dbedc77b1fae9d8e13fd86d60c0afc2 Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Sat, 19 Apr 2003 22:32:53 +0000 Subject: Updates and additions. (This used to be commit 9b35377f0cf5022519385a2b70237c05c7978158) --- docs/docbook/projdoc/AdvancedNetworkAdmin.sgml | 15 ++ docs/docbook/projdoc/NT4Migration.sgml | 233 ++++++++++++++++++++++--- docs/docbook/projdoc/passdb.sgml | 33 +++- 3 files changed, 248 insertions(+), 33 deletions(-) (limited to 'docs/docbook') diff --git a/docs/docbook/projdoc/AdvancedNetworkAdmin.sgml b/docs/docbook/projdoc/AdvancedNetworkAdmin.sgml index 138095e02c..dc2a78f5a6 100644 --- a/docs/docbook/projdoc/AdvancedNetworkAdmin.sgml +++ b/docs/docbook/projdoc/AdvancedNetworkAdmin.sgml @@ -269,8 +269,23 @@ Those wishing to use more elaborate or capable logon processing system should ch http://www.craigelachie.org/rhacer/ntlogon http://www.kixtart.org + http://support.microsoft.com/default.asp?scid=kb;en-us;189105 + +Adding printers without user intervention + + +Printers may be added automatically during logon script processing through the use of: + + + rundll32 printui.dll,PrintUIEntry /? + + +See the documentation in the Microsoft knowledgebase article no: 189105 referred to above. + + + diff --git a/docs/docbook/projdoc/NT4Migration.sgml b/docs/docbook/projdoc/NT4Migration.sgml index 3640c78942..6e40709081 100644 --- a/docs/docbook/projdoc/NT4Migration.sgml +++ b/docs/docbook/projdoc/NT4Migration.sgml @@ -74,70 +74,253 @@ MS Windows 2000 and beyond (with or without Active Directory services). -What are the features the Samba-3 can NOT provide? +What are the features that Samba-3 can NOT provide? - - Active Directory Server - Group Policy Objects (in Active Direcrtory) - Machine Policy objects - Logon Scripts in Active Directorty - Software Application and Access Controls in Active Directory - + + + Active Directory Server + + + Group Policy Objects (in Active Direcrtory) + + + Machine Policy objects + + + Logon Scripts in Active Directorty + + + Software Application and Access Controls in Active Directory + + + + +The features that Samba-3 DOES provide and that may be of compelling interest to your site +includes: + + + + + Lower Cost of Ownership + + + Global availability of support with no strings attached + + + Dynamic SMB Servers (ie:Can run more than one server per Unix/Linux system) + + + Creation of on-the-fly logon scripts + + + Creation of on-the-fly Policy Files + + + Greater Stability, Reliability, Performance and Availability + + + Manageability via an ssh connection + + + Flexible choices of back-end authentication technologies (tdbsam, ldapsam, mysqlsam) + + + Ability to implement a full single-signon architecture + + + Ability to distribute authentication systems for absolute minimum wide are network bandwidth demand + + + + +Before migrating a network from MS Windows NT4 to Samba-3 it is vital that all necessary factors are +considered. Users should be educated about changes they may experience so that the change will be a +welcome one and not become an obstacle to the work they need to do. The following are some of the +factors that will go into a successful migration: + + + +Domain Layout + + +Samba-3 can be configured as a domain controller, a back-up domain controller (probably best called +a secondary controller), a domain member, or as a stand-alone server. The Windows network security +domain context should be sized and scoped before implementation. Particular attention needs to be +paid to the location of the primary domain controller (PDC) as well as backup controllers (BDCs). +It should be noted that one way in which Samba-3 differs from Microsoft technology is that if one +chooses to use an LDAP authentication backend then the same database can be used by several different +domains. This means that in a complex organisation there can be a single LDAP database, that itself +can be distributed, that can simultaneously serve multiple domains (that can also be widely distributed). + + + +It is recommended that from a design perspective, the number of users per server, as well as the number +of servers, per domain should be scaled according to needs and should also consider server capacity +and network bandwidth. + + + +A physical network segment may house several domains, each of which may span multiple network segments. +Where domains span routed network segments it is most advisable to consider and test the performance +implications of the design and layout of a network. A Centrally located domain controller that is being +designed to server mulitple route network segments may result in severe performance problems if the +response time (eg: ping timing) between the remote segment and the PDC is more than 100 ms. In situations +where the delay is too long it is highly recommended to locate a backup controller (BDC) to serve as +the local authentication and access control server. + + + + +Server Share and Directory Layout + + +There are few cardinal rules to effective network design that can be broken with impunity. +The most important rule of effective network management is that simplicity is king in every +well controlled network. Every part of the infrastructure must be managed, the more complex +it is, the greater will be the demand of keeping systems secure and functional. + + + +The nature of the data that must be stored needs to be born in mind when deciding how many +shares must be created. The physical disk space layout should also be taken into account +when designing where share points will be created. Keep in mind that all data needs to be +backed up, thus the simpler the disk layout the easier it will be to keep track of what must +be backed up to tape or other off-line storage medium. Always plan and implement for minimum +maintenance. Leave nothing to chance in your design, above all, do not leave backups to chance: +Backup and test, validate every backup, create a disaster recovery plan and prove that it works. + + + +Users should be grouped according to data access control needs. File and directory access +is best controlled via group permissions and the use of the "sticky bit" on group controlled +directories may substantially avoid file access complaints from samba share users. + + + +Many network administrators who are new to the game will attempt to use elaborate techniques +to set access controls, on files, directories, shares, as well as in share definitions. +There is the ever present danger that that administrator's successor will not understand the +complex mess that has been inherited. Remember, apparent job security through complex design +and implementation may ultimately cause loss of operations and downtime to users as the new +administrator learns to untangle your web. Keep access controls simple and effective and +make sure that users will never be interrupted by the stupidity of complexity. + + + + +Logon Scripts + + +Please refer to the section of this document on Advanced Network Adminsitration for information +regarding the network logon script options for Samba-3. Logon scripts can help to ensure that +all users gain share and printer connections they need. + + + +Logon scripts can be created on-the-fly so that all commands executed are specific to the +rights and privilidges granted to the user. The preferred controls should be affected through +group membership so that group information can be used to custom create a logong script using +the root preexec parameters to the NETLOGON share. + + + +Some sites prefer to use a tool such as kixstart to establish a controlled +user environment. In any case you may wish to do a google search for logon script process controls. +In particular, you may wish to explore the use of the Microsoft knowledgebase article KB189105 that +deals with how to add printers without user intervention via the logon script process. + + + + +Profile Migration/Creation + + +User and Group Profiles may be migrated using the tools described in the section titled Desktop Profile +Management. + + + +Profiles may also be managed using the Samba-3 tool profiles. This tool allows +the MS Windows NT style security identifiers (SIDs) that are stored inside the profile NTuser.DAT file +to be changed to the SID of the Samba-3 domain. + + + + +User and Group Accounts + + +It is possible to migrate all account settings from an MS Windows NT4 domain to Samba-3. Before + attempting to migrate user and group accounts it is STRONGLY advised to create in Samba-3 the +groups that are present on the MS Windows NT4 domain AND to connect these to +suitable Unix/Linux groups. Following this simple advice will mean that all user and group attributes +should migrate painlessly. + + + Steps In Migration Process This is not a definitive ste-by-step process yet - just a place holder so the info is not lost. + -1. You will have an NT4 PDC that has the users, groups, policies and profiles to be migrated + + +You will have an NT4 PDC that has the users, groups, policies and profiles to be migrated + -2. Samba-3 set up as a DC with netlogon share, profile share, etc. + +Samba-3 set up as a DC with netlogon share, profile share, etc. + + -3. Process: - a. Create a BDC account for the samba server using NT Server Manager + +Process: + Create a BDC account for the samba server using NT Server Manager - Samba must NOT be running - b. rpcclient NT4PDC -U Administrator%passwd + rpcclient NT4PDC -U Administrator%passwd lsaquery Note the SID returned by step b. - c. net getsid -S NT4PDC -w DOMNAME -U Administrator%passwd + net getsid -S NT4PDC -w DOMNAME -U Administrator%passwd Note the SID in step c. - d. net getlocalsid + net getlocalsid Note the SID, now check that all three SIDS reported are the same! - e. net rpc join -S NT4PDC -w DOMNAME -U Administrator%passwd + net rpc join -S NT4PDC -w DOMNAME -U Administrator%passwd - f. net rpc vampire -S NT4PDC -U administrator%passwd + net rpc vampire -S NT4PDC -U administrator%passwd - g. pdbedit -l + pdbedit -l Note - did the users migrate? - h. initGrps.sh DOMNAME + initGrps.sh DOMNAME - i. smbgroupedit -v + smbgroupedit -v Now check that all groups are recognised - j. net rpc campire -S NT4PDC -U administrator%passwd + net rpc campire -S NT4PDC -U administrator%passwd - k. pdbedit -lv + pdbedit -lv Note - check that all group membership has been migrated. + - + Now it is time to migrate all the profiles, then migrate all policy files. - -Moe later. +More later. diff --git a/docs/docbook/projdoc/passdb.sgml b/docs/docbook/projdoc/passdb.sgml index 0de0376df8..776c79f095 100644 --- a/docs/docbook/projdoc/passdb.sgml +++ b/docs/docbook/projdoc/passdb.sgml @@ -341,8 +341,9 @@ include: The second item can be accomplished by using LDAP NSS and PAM modules. LGPL versions of these libraries can be obtained from PADL Software -(http://www.padl.com/). However, -the details of configuring these packages are beyond the scope of this document. +(http://www.padl.com/). More +information about the configuration of these packages may be found at "LDAP, +System Administration; Gerald Carter, O'Reilly; Chapter 6: Replacing NIS". @@ -375,7 +376,7 @@ Samba 3.0 includes the necessary schema file for OpenLDAP 2.0 in -objectclass ( 1.3.1.5.1.4.1.7165.2.2.2 NAME 'sambaAccount' SUP top STRUCTURAL +objectclass ( 1.3.1.5.1.4.1.7165.2.2.2 NAME 'sambaAccount' SUP top AUXILIARY DESC 'Samba Account' MUST ( uid $ rid ) MAY ( cn $ lmPassword $ ntPassword $ pwdLastSet $ logonTime $ @@ -476,6 +477,11 @@ index rid eq ##index gidNumber eq ##index cn eq ##index memberUid eq + +# (both fetched via ldapsearch): +index primaryGroupID eq +index displayName pres,eq + @@ -485,16 +491,20 @@ index rid eq The following parameters are available in smb.conf only with --with-ldapsam -was included with compiling Samba. +was included when compiling Samba. + passdb backend [ldapsam|ldapsam_nua]:url ldap ssl - ldap server ldap admin dn ldap suffix ldap filter ldap port + ldap machine suffix + ldap user suffix + ldap delete dn + @@ -521,13 +531,20 @@ use with an LDAP directory could appear as # changes, this password will need to be reset. ldap admin dn = "cn=Samba Manager,ou=people,dc=samba,dc=org" - # specify the LDAP server's hostname (defaults to locahost) - ldap server = ahab.samba.org - # Define the SSL option when connecting to the directory # ('off', 'start tls', or 'on' (default)) ldap ssl = start tls + passdb backend ldapsam:ldap://ahab.samba.org + + # smbpasswd -x delete the entire dn-entry + ldap delete dn = no + + # the machine and user suffix added to the base suffix + # wrote WITHOUT quotes. NULL siffixes by default + ldap user suffix = ou=People + ldap machine suffix = ou=Systems + # define the port to use in the LDAP session (defaults to 636 when # "ldap ssl = on") ldap port = 389 -- cgit From e94801be2d6fd61e3466cbbf43b202a12664a0a9 Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Sat, 19 Apr 2003 22:38:47 +0000 Subject: Fix typo. (This used to be commit a4f89aabfa28a6763008a6eab944ad11dabf5e4c) --- docs/docbook/projdoc/NT4Migration.sgml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'docs/docbook') diff --git a/docs/docbook/projdoc/NT4Migration.sgml b/docs/docbook/projdoc/NT4Migration.sgml index 6e40709081..385aa7810b 100644 --- a/docs/docbook/projdoc/NT4Migration.sgml +++ b/docs/docbook/projdoc/NT4Migration.sgml @@ -253,7 +253,7 @@ to be changed to the SID of the Samba-3 domain. It is possible to migrate all account settings from an MS Windows NT4 domain to Samba-3. Before attempting to migrate user and group accounts it is STRONGLY advised to create in Samba-3 the -groups that are present on the MS Windows NT4 domain AND to connect these to +groups that are present on the MS Windows NT4 domain AND to connect these to suitable Unix/Linux groups. Following this simple advice will mean that all user and group attributes should migrate painlessly. -- cgit From 95b2ff81b5dcf7f090a36f8044b908b34f7579f1 Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Sun, 20 Apr 2003 00:26:50 +0000 Subject: More update stuff - not finished (ofcourse!) (This used to be commit 5d72c6cfca41accc783eda166d8b9154d21f4aec) --- docs/docbook/projdoc/NT4Migration.sgml | 103 +++++++++++++++++++++++++++++++++ 1 file changed, 103 insertions(+) (limited to 'docs/docbook') diff --git a/docs/docbook/projdoc/NT4Migration.sgml b/docs/docbook/projdoc/NT4Migration.sgml index 385aa7810b..1a31def2fe 100644 --- a/docs/docbook/projdoc/NT4Migration.sgml +++ b/docs/docbook/projdoc/NT4Migration.sgml @@ -326,6 +326,109 @@ More later. + +Migration Options + + +There are 3 major Site Types: + + + +<= 50 Users +Want simple conversion with NO pain +50 - 250 Users +Want new features, can manage some in-house complexity +Large Scale Sites +Solution / Implementation MUST scale well, complex needs +Cross departmental decision process +Local expertise in most areas +Planning for Success +Decide which approach is needed - 3 Choices +Simple Conversion (total replacement) +Upgraded Conversion (could be one of integration) +Complete Redesign (completely new solution) +Take sufficient time +Avoid Panic +Test ALL assumptions +Test full roll-out program, including workstation deployment +Simple Conversion +Make use of minimal OS specific features +Can use No Unix Accounts Option +Suck all accounts from NT4 into Samba-3 +Make least number of operational changes +Take least amount of time to migrate +Live versus Isolated Conversion +Integrate Samba-3 then migrate while users are active +Change of control (ie: swap out) +Upgraded Conversion +Translate NT4 features to new host OS features +Copy and improve +Old environment to Samba-3 +Make progressive improvements +Minimise user impact +Macimise functionality +Take advantage of lower maintenance opportunity +Complete Network Redesign +Decide +Authentication Regime (database locate and access) +Desktop Management Methods +Better Control of Desktops / Users +Identify Needs for: +Manageability, Scalability, Security, Availability +Samba Implementation Choices +Authentication database back end +Winbind (external Samba or NT4/200x server) +Can use pam_mkhomedir.so to auto-create home dirs +External server could use Active Directory or NT4 Domain +Database type +smbpasswd, tdbsam, ldapsam, MySQLsam +With local accounts or with No Unix Accounts (NUA option) +Samba Implementation Choice - II +Access Control Points +On the Share itself (Use NT4 Server Manager) +On the file system +Unix permissions on files and directories +Posix ACLs enablement in file system? +Through Samba share parameters +Not recommended - except as only resort +Samba Implementation Choice - III +Policies (migrate or create new ones) +Group Policy Editor (NT4) +Watch out for Tattoo effect +User and Group Profiles +Platform specific so use platform tool to change from a Local to a Roaming profile +Can use new profiles tool to change SIDs (NTUser.DAT) +Logon Scripts (Know how they work) +Samba Implementation Choices - IV +User and Group mapping to Unix/Linux +username map facility may be needed +Use smbgroupedit to connect NT4 groups to Unix groups +Use pdbedit to set/change user configuration +NOTE: +If migrating to LDAP back end it may be easier to dump initial LDAP database to LDIF, then edit, then reload into LDAP +Samba Implementation Choices - V +OS specific scripts / programs may be needed +Add / delete Users +Note OS limits on size of name (Linux 8 chars) +NT4 up to 254 chars +Add / delete machines +Applied only to domain members (note up to 16 chars) +Add / delete Groups +Note OS limits on size and nature +Linux limit is 16 char, no spaces and no upper case chars (groupadd) +Migration Tools +Domain Control (NT4 Style) +Profiles, Policies, Access Controls, Security +Migration Tools +Samba: net, rpcclient, smbpasswd, pdbedit, smbgroupedit, profiles +Windows: NT4 Domain User Manager, Server Manager (NEXUS) +Authentication +New SAM back end (smbpasswd, tdbsam, ldapsam, mysqlsam) +With of without Unix Accounts (NUA) + + + + Managing Samba-3 Domain Control -- cgit From a0a4b2b5950f8e495c51691e2fb9dcade2bfa2ce Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Mon, 21 Apr 2003 14:39:16 +0000 Subject: More updates - still a work in progress. (This used to be commit 63589f958b399534bc0bc8c50213ad2f6a380689) --- docs/docbook/projdoc/NT4Migration.sgml | 224 ++++++++++++++++++++++++++++----- 1 file changed, 195 insertions(+), 29 deletions(-) (limited to 'docs/docbook') diff --git a/docs/docbook/projdoc/NT4Migration.sgml b/docs/docbook/projdoc/NT4Migration.sgml index 1a31def2fe..98b5cbe995 100644 --- a/docs/docbook/projdoc/NT4Migration.sgml +++ b/docs/docbook/projdoc/NT4Migration.sgml @@ -66,7 +66,7 @@ Possible motivations to make a change include: -It is vital that oit be well recognised that Samba-3 is NOT MS Windows NT4. Samba-3 offers +It is vital that it be well recognised that Samba-3 is NOT MS Windows NT4. Samba-3 offers an alternative solution that is both different from MS Windows NT4 and that offers some advantages compared with it. It should also be recognised that Samba-3 lacks many of the features that Microsoft has promoted as core values in migration from MS Windows NT4 to @@ -164,7 +164,7 @@ and network bandwidth. A physical network segment may house several domains, each of which may span multiple network segments. Where domains span routed network segments it is most advisable to consider and test the performance implications of the design and layout of a network. A Centrally located domain controller that is being -designed to server mulitple route network segments may result in severe performance problems if the +designed to serve mulitple routed network segments may result in severe performance problems if the response time (eg: ping timing) between the remote segment and the PDC is more than 100 ms. In situations where the delay is too long it is highly recommended to locate a backup controller (BDC) to serve as the local authentication and access control server. @@ -252,7 +252,7 @@ to be changed to the SID of the Samba-3 domain. It is possible to migrate all account settings from an MS Windows NT4 domain to Samba-3. Before - attempting to migrate user and group accounts it is STRONGLY advised to create in Samba-3 the +attempting to migrate user and group accounts it is STRONGLY advised to create in Samba-3 the groups that are present on the MS Windows NT4 domain AND to connect these to suitable Unix/Linux groups. Following this simple advice will mean that all user and group attributes should migrate painlessly. @@ -265,8 +265,7 @@ should migrate painlessly. Steps In Migration Process -This is not a definitive ste-by-step process yet - just a place holder so the info -is not lost. +The approximate migration process is described below. @@ -279,51 +278,218 @@ Samba-3 set up as a DC with netlogon share, profile share, etc. - -Process: - Create a BDC account for the samba server using NT Server Manager - - Samba must NOT be running +The Account Migration Process + Create a BDC account for the samba server using NT Server Manager + Samba must NOT be running + + + rpcclient NT4PDC -U Administrator%passwd + lsaquery + Note the SID returned + + + + net getsid -S NT4PDC -w DOMNAME -U Administrator%passwd + Note the SID + - rpcclient NT4PDC -U Administrator%passwd - lsaquery + net getlocalsid + + Note the SID, now check that all three SIDS reported are the same! + + - Note the SID returned by step b. + net rpc join -S NT4PDC -w DOMNAME -U Administrator%passwd - net getsid -S NT4PDC -w DOMNAME -U Administrator%passwd + net rpc vampire -S NT4PDC -U administrator%passwd - Note the SID in step c. + pdbedit -l + Note - did the users migrate? + - net getlocalsid + initGrps.sh DOMNAME - Note the SID, now check that all three SIDS reported are the same! + smbgroupedit -v + Now check that all groups are recognised + - net rpc join -S NT4PDC -w DOMNAME -U Administrator%passwd + net rpc campire -S NT4PDC -U administrator%passwd + + pdbedit -lv + + Note - check that all group membership has been migrated + + + + + +Now it is time to migrate all the profiles, then migrate all policy files. +More later. + - net rpc vampire -S NT4PDC -U administrator%passwd + + - pdbedit -l + +Migration Options - Note - did the users migrate? + +Based on feedback from many sites as well as from actual installation and maintenance +experience sites that wish to migrate from MS Windows NT4 Domain Control to a Samba +based solution fit into three basic categories. + - initGrps.sh DOMNAME +The 3 Major Site Types + + + Number of UsersDescription + + + < 50Want simple conversion with NO pain + 50 - 250Want new features, can manage some in-house complexity + > 250Solution/Implementation MUST scale well, complex needs. Cross departmental decision process. Local expertise in most areas + + +
- smbgroupedit -v + +Planning for Success - Now check that all groups are recognised + +There are three basic choices for sites that intend to migrate from MS Windwows NT4 +to Samba-3. + - net rpc campire -S NT4PDC -U administrator%passwd + + + Simple Conversion (total replacement) + - pdbedit -lv + + Upgraded Conversion (could be one of integration) + - Note - check that all group membership has been migrated. - + + Complete Redesign (completely new solution) + + -Now it is time to migrate all the profiles, then migrate all policy files. -More later. +No matter what choice you make, the following rules will minimise down-stream problems: + + + Take sufficient time + + + + Avoid Panic + + + + Test ALL assumptions + + + + Test full roll-out program, including workstation deployment + + + +Nature of the Conversion Choices + + + SimpleUpgradedRedesign + + + + Make use of minimal OS specific features + Translate NT4 features to new host OS features + Decide: + + + Suck all accounts from NT4 into Samba-3 + Copy and improve: + Authentication Regime (database location and access) + + + Make least number of operational changes + Make progressive improvements + Desktop Management Methods + + + Take least amount of time to migrate + Minimise user impact + Better Control of Desktops / Users + + + Live versus Isolated Conversion + Maximise functionality + Identify Needs for: Manageability, Scalability, Security, Availability + + + Integrate Samba-3 then migrate while users are active, then Change of control (ie: swap out) + Take advantage of lower maintenance opportunity + + + + +
+ + +Samba Implementation Choices + + +Authentication database back end + Winbind (external Samba or NT4/200x server) + Can use pam_mkhomedir.so to auto-create home dirs + External server could use Active Directory or NT4 Domain +Database type + smbpasswd, tdbsam, ldapsam, MySQLsam + With local accounts or with No Unix Accounts (NUA option) +Access Control Points + On the Share itself (Use NT4 Server Manager) + On the file system + Unix permissions on files and directories + Posix ACLs enablement in file system? + Through Samba share parameters + Not recommended - except as only resort +Policies (migrate or create new ones) + Group Policy Editor (NT4) + Watch out for Tattoo effect +User and Group Profiles + Platform specific so use platform tool to change from a Local to a Roaming profile + Can use new profiles tool to change SIDs (NTUser.DAT) +Logon Scripts (Know how they work) +User and Group mapping to Unix/Linux + username map facility may be needed + Use smbgroupedit to connect NT4 groups to Unix groups + Use pdbedit to set/change user configuration +NOTE: +If migrating to LDAP back end it may be easier to dump initial LDAP database to LDIF, then edit, then reload into LDAP + OS specific scripts / programs may be needed + Add / delete Users + Note OS limits on size of name (Linux 8 chars) + NT4 up to 254 chars + Add / delete machines + Applied only to domain members (note up to 16 chars) + Add / delete Groups + Note OS limits on size and nature + Linux limit is 16 char, no spaces and no upper case chars (groupadd) + +Migration Tools + Domain Control (NT4 Style) + Profiles, Policies, Access Controls, Security +Migration Tools + Samba: net, rpcclient, smbpasswd, pdbedit, smbgroupedit, profiles + Windows: NT4 Domain User Manager, Server Manager (NEXUS) +Authentication + New SAM back end (smbpasswd, tdbsam, ldapsam, mysqlsam) + With of without Unix Accounts (NUA) + + + -- cgit From 9c356a379d0e42405ca4809beefd272697cc215b Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Mon, 21 Apr 2003 14:59:38 +0000 Subject: Remove obsolete information from Speed.sgml and move client-specific info to Other-Clients.sgml (This used to be commit b0d5e1b177808c3bd3494d0b2f6cf4c8c4bcfdd5) --- docs/docbook/projdoc/Other-Clients.sgml | 32 +++++- docs/docbook/projdoc/Speed.sgml | 170 ++++---------------------------- 2 files changed, 52 insertions(+), 150 deletions(-) (limited to 'docs/docbook') diff --git a/docs/docbook/projdoc/Other-Clients.sgml b/docs/docbook/projdoc/Other-Clients.sgml index 6177b4dcb6..73316927e0 100644 --- a/docs/docbook/projdoc/Other-Clients.sgml +++ b/docs/docbook/projdoc/Other-Clients.sgml @@ -168,7 +168,8 @@ packages, Samba, and Linux (and other UNIX-based systems) see Use latest TCP/IP stack from Microsoft Use the latest TCP/IP stack from microsoft if you use Windows -for workgroups. +for workgroups. + The early TCP/IP stacks had lots of bugs. @@ -233,6 +234,24 @@ WfWg. For some reason if you leave Netbeui as the default it may break the print queue reporting on some systems. It is presumably a WfWg bug. + + + +Speed improvement + + +Note that some people have found that setting DefaultRcvWindow in +the [MSTCP] section of the SYSTEM.INI file under WfWg to 3072 gives a +big improvement. I don't know why. + + + +My own experience wth DefaultRcvWindow is that I get much better +performance with a large value (16384 or larger). Other people have +reported that anything over 3072 slows things down enourmously. One +person even reported a speed drop of a factor of 30 when he went from +3072 to 8192. I don't know why. + @@ -266,6 +285,17 @@ OutLook and you may also notice a significant speedup when accessing network neighborhood services. + +Speed improvement + + +Configure the win95 TCPIP registry settings to give better +performance. I use a program called MTUSPEED.exe which I got off the +net. There are various other utilities of this type freely available. + + + + diff --git a/docs/docbook/projdoc/Speed.sgml b/docs/docbook/projdoc/Speed.sgml index 78b5935a9c..753810c1d8 100644 --- a/docs/docbook/projdoc/Speed.sgml +++ b/docs/docbook/projdoc/Speed.sgml @@ -62,7 +62,7 @@ line with the -O option, or in the smb.conf file. -The "socket options" section of the smb.conf manual page describes how +The socket options section of the &smb.conf; manual page describes how to set these and gives recommendations. @@ -75,9 +75,9 @@ much. The correct settings are very dependent on your local network. The socket option TCP_NODELAY is the one that seems to make the biggest single difference for most networks. Many people report that -adding "socket options = TCP_NODELAY" doubles the read performance of -a Samba drive. The best explanation I have seen for this is that the -Microsoft TCP/IP stack is slow in sending tcp ACKs. +adding socket options = TCP_NODELAY doubles the read +performance of a Samba drive. The best explanation I have seen for this is +that the Microsoft TCP/IP stack is slow in sending tcp ACKs. @@ -86,9 +86,9 @@ Microsoft TCP/IP stack is slow in sending tcp ACKs. Read size -The option "read size" affects the overlap of disk reads/writes with -network reads/writes. If the amount of data being transferred in -several of the SMB commands (currently SMBwrite, SMBwriteX and +The option read size affects the overlap of disk +reads/writes with network reads/writes. If the amount of data being +transferred in several of the SMB commands (currently SMBwrite, SMBwriteX and SMBreadbraw) is larger than this value then the server begins writing the data before it has received the whole packet from the network, or in the case of SMBreadbraw, it begins writing to the network before @@ -114,10 +114,10 @@ pointless and will cause you to allocate memory unnecessarily. Max xmit -At startup the client and server negotiate a "maximum transmit" size, +At startup the client and server negotiate a maximum transmit size, which limits the size of nearly all SMB commands. You can set the -maximum size that Samba will negotiate using the "max xmit = " option -in smb.conf. Note that this is the maximum size of SMB request that +maximum size that Samba will negotiate using the max xmit = option +in &smb.conf;. Note that this is the maximum size of SMB request that Samba will accept, but not the maximum size that the *client* will accept. The client maximum receive size is sent to Samba by the client and Samba honours this limit. @@ -139,7 +139,7 @@ In most cases the default is the best option. Log level -If you set the log level (also known as "debug level") higher than 2 +If you set the log level (also known as debug level) higher than 2 then you may suffer a large drop in performance. This is because the server flushes the log file after each operation, which can be very expensive. @@ -150,20 +150,20 @@ expensive. Read raw -The "read raw" operation is designed to be an optimised, low-latency +The read raw operation is designed to be an optimised, low-latency file read operation. A server may choose to not support it, -however. and Samba makes support for "read raw" optional, with it +however. and Samba makes support for read raw optional, with it being enabled by default. -In some cases clients don't handle "read raw" very well and actually +In some cases clients don't handle read raw very well and actually get lower performance using it than they get using the conventional read operations. -So you might like to try "read raw = no" and see what happens on your +So you might like to try read raw = no and see what happens on your network. It might lower, raise or not affect your performance. Only testing can really tell. @@ -174,43 +174,25 @@ testing can really tell. Write raw -The "write raw" operation is designed to be an optimised, low-latency +The write raw operation is designed to be an optimised, low-latency file write operation. A server may choose to not support it, -however. and Samba makes support for "write raw" optional, with it +however. and Samba makes support for write raw optional, with it being enabled by default. -Some machines may find "write raw" slower than normal write, in which +Some machines may find write raw slower than normal write, in which case you may wish to change this option. - -Slow Clients - - -One person has reported that setting the protocol to COREPLUS rather -than LANMAN2 gave a dramatic speed improvement (from 10k/s to 150k/s). - - - -I suspect that his PC's (386sx16 based) were asking for more data than -they could chew. I suspect a similar speed could be had by setting -"read raw = no" and "max xmit = 2048", instead of changing the -protocol. Lowering the "read size" might also help. - - - - Slow Logins Slow logins are almost always due to the password checking time. Using -the lowest practical "password level" will improve things a lot. You -could also enable the "UFC crypt" option in the Makefile. +the lowest practical password level will improve things. @@ -221,118 +203,8 @@ could also enable the "UFC crypt" option in the Makefile. Often a speed problem can be traced to the client. The client (for example Windows for Workgroups) can often be tuned for better TCP -performance. - - - -See your client docs for details. In particular, I have heard rumours -that the WfWg options TCPWINDOWSIZE and TCPSEGMENTSIZE can have a -large impact on performance. - - - -Also note that some people have found that setting DefaultRcvWindow in -the [MSTCP] section of the SYSTEM.INI file under WfWg to 3072 gives a -big improvement. I don't know why. - - - -My own experience wth DefaultRcvWindow is that I get much better -performance with a large value (16384 or larger). Other people have -reported that anything over 3072 slows things down enourmously. One -person even reported a speed drop of a factor of 30 when he went from -3072 to 8192. I don't know why. - - - -It probably depends a lot on your hardware, and the type of unix box -you have at the other end of the link. - - - -Paul Cochrane has done some testing on client side tuning and come -to the following conclusions: - - - -Install the W2setup.exe file from www.microsoft.com. This is an -update for the winsock stack and utilities which improve performance. - - - -Configure the win95 TCPIP registry settings to give better -perfomance. I use a program called MTUSPEED.exe which I got off the -net. There are various other utilities of this type freely available. -The setting which give the best performance for me are: - - - - -MaxMTU Remove - - -RWIN Remove - - -MTUAutoDiscover Disable - - -MTUBlackHoleDetect Disable - - -Time To Live Enabled - - -Time To Live - HOPS 32 - - -NDI Cache Size 0 - - - - -I tried virtually all of the items mentioned in the document and -the only one which made a difference to me was the socket options. It -turned out I was better off without any!!!!! - - - -In terms of overall speed of transfer, between various win95 clients -and a DX2-66 20MB server with a crappy NE2000 compatible and old IDE -drive (Kernel 2.0.30). The transfer rate was reasonable for 10 baseT. - - - - -The figures are: Put Get -P166 client 3Com card: 420-440kB/s 500-520kB/s -P100 client 3Com card: 390-410kB/s 490-510kB/s -DX4-75 client NE2000: 370-380kB/s 330-350kB/s - - - - -I based these test on transfer two files a 4.5MB text file and a 15MB -textfile. The results arn't bad considering the hardware Samba is -running on. It's a crap machine!!!! - - - -The updates mentioned in 1 and 2 brought up the transfer rates from -just over 100kB/s in some clients. - - - -A new client is a P333 connected via a 100MB/s card and hub. The -transfer rates from this were good: 450-500kB/s on put and 600+kB/s -on get. - - - -Looking at standard FTP throughput, Samba is a bit slower (100kB/s -upwards). I suppose there is more going on in the samba protocol, but -if it could get up to the rate of FTP the perfomance would be quite -staggering. +performance. Check the sections on the various clients in +Samba and Other Clients. -- cgit From 156014a529479b0b3f585d43e7a1f13adc622103 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Mon, 21 Apr 2003 15:19:16 +0000 Subject: Fix syntax error (This used to be commit e76eaf0f17de19eb2492572b0c79fc4b2657c504) --- docs/docbook/projdoc/NT4Migration.sgml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'docs/docbook') diff --git a/docs/docbook/projdoc/NT4Migration.sgml b/docs/docbook/projdoc/NT4Migration.sgml index 98b5cbe995..5799841feb 100644 --- a/docs/docbook/projdoc/NT4Migration.sgml +++ b/docs/docbook/projdoc/NT4Migration.sgml @@ -500,7 +500,7 @@ There are 3 major Site Types: -<= 50 Users +<= 50 Users Want simple conversion with NO pain 50 - 250 Users Want new features, can manage some in-house complexity @@ -591,7 +591,7 @@ Windows: NT4 Domain User Manager, Server Manager (NEXUS) Authentication New SAM back end (smbpasswd, tdbsam, ldapsam, mysqlsam) With of without Unix Accounts (NUA) - + -- cgit From f66bbf3c088ee980876599343c083980f884d661 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Mon, 21 Apr 2003 15:19:34 +0000 Subject: Create ../textdocs, ../htmldocs or ../manpages if they don't exist already (This used to be commit 8dc7087cf0306271e07a25ac2538206ef3eaa497) --- docs/docbook/Makefile.in | 30 ++++++++++++++++++++++-------- 1 file changed, 22 insertions(+), 8 deletions(-) (limited to 'docs/docbook') diff --git a/docs/docbook/Makefile.in b/docs/docbook/Makefile.in index e44108401d..0739f43f84 100644 --- a/docs/docbook/Makefile.in +++ b/docs/docbook/Makefile.in @@ -68,19 +68,22 @@ everything: manpages ps pdf html-single html htmlman txt htmlfaq # Global rules -manpages: $(MANPAGES) -pdf: $(PDFDIR)/Samba-HOWTO-Collection.pdf ../Samba-Developers-Guide.pdf -ps: $(PSDIR)/Samba-HOWTO-Collection.ps ../Samba-Developers-Guide.ps -txt: $(TXTDIR)/Samba-HOWTO-Collection.txt $(TXTDIR)/Samba-Developers-Guide.txt -htmlman: $(MANPAGES_HTML) -htmlfaq: +manpages: $(MANDIR) $(MANPAGES) +pdf: $(PDFDIR) $(PDFDIR)/Samba-HOWTO-Collection.pdf ../Samba-Developers-Guide.pdf +ps: $(PSDIR) $(PSDIR)/Samba-HOWTO-Collection.ps ../Samba-Developers-Guide.ps +txt: $(TXTDIR) $(TXTDIR)/Samba-HOWTO-Collection.txt $(TXTDIR)/Samba-Developers-Guide.txt +htmlman: $(HTMLDIR) $(MANPAGES_HTML) +htmlfaq: $(HTMLDIR) $(DOCBOOK2HTML) -d samba.dsl -o $(FAQDIR) $(FAQPROJDOC)/sambafaq.sgml -html-single: $(HTMLDIR)/Samba-HOWTO-Collection.html $(HTMLDIR)/Samba-Developers-Guide.html -html: +html-single: $(HTMLDIR) $(HTMLDIR)/Samba-HOWTO-Collection.html $(HTMLDIR)/Samba-Developers-Guide.html +html: $(HTMLDIR) $(DOCBOOK2HTML) -d samba.dsl -o $(HTMLDIR) $(PROJDOC)/samba-doc.sgml # Text files +$(TXTDIR): + mkdir $(TXTDIR) + $(TXTDIR)/Samba-HOWTO-Collection.txt: $(PROJDOC)/samba-doc.sgml $(DOCBOOK2TXT) -d samba.dsl -o . $< mv ./samba-doc.txt $@ @@ -91,6 +94,9 @@ $(TXTDIR)/Samba-Developers-Guide.txt: $(DEVDOC)/dev-doc.sgml # PostScript +$(PSDIR): + mkdir $(PSDIR) + $(PSDIR)/Samba-HOWTO-Collection.ps: $(PROJDOC)/samba-doc.sgml $(DOCBOOK2PS) -d samba.dsl -o . $< mv ./samba-doc.ps $@ @@ -109,6 +115,9 @@ $(PDFDIR)/Samba-Developers-Guide.pdf: $(HTMLDIR)/Samba-Developers-Guide.html # Single large HTML files +$(HTMLDIR): + mkdir $(HTMLDIR) + $(HTMLDIR)/Samba-HOWTO-Collection.html: $(PROJDOC)/samba-doc.sgml $(DOCBOOK2HTML) -d samba.dsl -u -o . $< mv ./samba-doc.html $@ @@ -121,6 +130,11 @@ $(HTMLDIR)/Samba-Developers-Guide.html: $(DEVDOC)/dev-doc.sgml $(HTMLDIR)/%.html: $(MANPROJDOC)/%.sgml $(DOCBOOK2HTML) -d samba.dsl -u -o $(HTMLDIR) $< +# Manpages + +$(MANDIR): + mkdir $(MANDIR) + $(MANDIR)/%: $(MANPROJDOC)/%.sgml $(DOCBOOK2MAN) -d samba.dsl -o $(MANDIR) $< $(PERL) scripts/strip-links.pl < $@ > $@.temp -- cgit From 78476119faf62ace4f6cbda66b56d00aa63a5ed6 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Mon, 21 Apr 2003 16:04:54 +0000 Subject: Add new part 'Troubleshooting' (This used to be commit a24e89ea443fbe77924cccf7e7679aec80a05088) --- docs/docbook/projdoc/samba-doc.sgml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) (limited to 'docs/docbook') diff --git a/docs/docbook/projdoc/samba-doc.sgml b/docs/docbook/projdoc/samba-doc.sgml index 328287ee04..de3c9e2974 100644 --- a/docs/docbook/projdoc/samba-doc.sgml +++ b/docs/docbook/projdoc/samba-doc.sgml @@ -95,6 +95,13 @@ for various environments. &unicode; + +Troubleshooting +&Diagnosis; +&problems; +&BUGS; + + Appendixes &Compiling; @@ -103,8 +110,5 @@ for various environments. &Other-Clients; &SWAT; &SPEED; -&Diagnosis; -&problems; -&BUGS; -- cgit From c0ac957fc2f177f3349b8b763fbd54ade14da56c Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Mon, 21 Apr 2003 16:16:31 +0000 Subject: Move information about locking to seperate chapter and information about scope id's to the faq (This used to be commit f2c333822f34be8a2bb85124319ead4dc44c2891) --- docs/docbook/projdoc/UNIX_INSTALL.sgml | 67 ---------------------------------- docs/docbook/projdoc/locking.sgml | 60 ++++++++++++++++++++++++++++++ docs/docbook/projdoc/samba-doc.sgml | 1 + 3 files changed, 61 insertions(+), 67 deletions(-) create mode 100644 docs/docbook/projdoc/locking.sgml (limited to 'docs/docbook') diff --git a/docs/docbook/projdoc/UNIX_INSTALL.sgml b/docs/docbook/projdoc/UNIX_INSTALL.sgml index 239ccd168b..1019e524f7 100644 --- a/docs/docbook/projdoc/UNIX_INSTALL.sgml +++ b/docs/docbook/projdoc/UNIX_INSTALL.sgml @@ -172,72 +172,5 @@ Samba has been successfully installed at thousands of sites worldwide, so maybe someone else has hit your problem and has overcome it. - - Scope IDs - - By default Samba uses a blank scope ID. This means - all your windows boxes must also have a blank scope ID. - If you really want to use a non-blank scope ID then you will - need to use the 'netbios scope' smb.conf option. - All your PCs will need to have the same setting for - this to work. I do not recommend scope IDs. - - - - Locking - - One area which sometimes causes trouble is locking. - - There are two types of locking which need to be - performed by a SMB server. The first is "record locking" - which allows a client to lock a range of bytes in a open file. - The second is the "deny modes" that are specified when a file - is open. - - Record locking semantics under Unix is very - different from record locking under Windows. Versions - of Samba before 2.2 have tried to use the native - fcntl() unix system call to implement proper record - locking between different Samba clients. This can not - be fully correct due to several reasons. The simplest - is the fact that a Windows client is allowed to lock a - byte range up to 2^32 or 2^64, depending on the client - OS. The unix locking only supports byte ranges up to - 2^31. So it is not possible to correctly satisfy a - lock request above 2^31. There are many more - differences, too many to be listed here. - - Samba 2.2 and above implements record locking - completely independent of the underlying unix - system. If a byte range lock that the client requests - happens to fall into the range 0-2^31, Samba hands - this request down to the Unix system. All other locks - can not be seen by unix anyway. - - Strictly a SMB server should check for locks before - every read and write call on a file. Unfortunately with the - way fcntl() works this can be slow and may overstress the - rpc.lockd. It is also almost always unnecessary as clients - are supposed to independently make locking calls before reads - and writes anyway if locking is important to them. By default - Samba only makes locking calls when explicitly asked - to by a client, but if you set "strict locking = yes" then it will - make lock checking calls on every read and write. - - You can also disable by range locking completely - using "locking = no". This is useful for those shares that - don't support locking or don't need it (such as cdroms). In - this case Samba fakes the return codes of locking calls to - tell clients that everything is OK. - - The second class of locking is the "deny modes". These - are set by an application when it opens a file to determine - what types of access should be allowed simultaneously with - its open. A client may ask for DENY_NONE, DENY_READ, DENY_WRITE - or DENY_ALL. There are also special compatibility modes called - DENY_FCB and DENY_DOS. - - - diff --git a/docs/docbook/projdoc/locking.sgml b/docs/docbook/projdoc/locking.sgml new file mode 100644 index 0000000000..ef65c16e2c --- /dev/null +++ b/docs/docbook/projdoc/locking.sgml @@ -0,0 +1,60 @@ + + + &author.jeremy; + &author.jelmer; + + +Locking + +One area which sometimes causes trouble is locking. + +There are two types of locking which need to be +performed by a SMB server. The first is "record locking" +which allows a client to lock a range of bytes in a open file. +The second is the "deny modes" that are specified when a file +is open. + +Record locking semantics under Unix is very +different from record locking under Windows. Versions +of Samba before 2.2 have tried to use the native +fcntl() unix system call to implement proper record +locking between different Samba clients. This can not +be fully correct due to several reasons. The simplest +is the fact that a Windows client is allowed to lock a +byte range up to 2^32 or 2^64, depending on the client +OS. The unix locking only supports byte ranges up to +2^31. So it is not possible to correctly satisfy a +lock request above 2^31. There are many more +differences, too many to be listed here. + +Samba 2.2 and above implements record locking +completely independent of the underlying unix +system. If a byte range lock that the client requests +happens to fall into the range 0-2^31, Samba hands +this request down to the Unix system. All other locks +can not be seen by unix anyway. + +Strictly a SMB server should check for locks before +every read and write call on a file. Unfortunately with the +way fcntl() works this can be slow and may overstress the +rpc.lockd. It is also almost always unnecessary as clients +are supposed to independently make locking calls before reads +and writes anyway if locking is important to them. By default +Samba only makes locking calls when explicitly asked +to by a client, but if you set "strict locking = yes" then it will +make lock checking calls on every read and write. + +You can also disable by range locking completely +using "locking = no". This is useful for those shares that +don't support locking or don't need it (such as cdroms). In +this case Samba fakes the return codes of locking calls to +tell clients that everything is OK. + +The second class of locking is the "deny modes". These +are set by an application when it opens a file to determine +what types of access should be allowed simultaneously with +its open. A client may ask for DENY_NONE, DENY_READ, DENY_WRITE +or DENY_ALL. There are also special compatibility modes called +DENY_FCB and DENY_DOS. + + diff --git a/docs/docbook/projdoc/samba-doc.sgml b/docs/docbook/projdoc/samba-doc.sgml index de3c9e2974..a0fc27fcb0 100644 --- a/docs/docbook/projdoc/samba-doc.sgml +++ b/docs/docbook/projdoc/samba-doc.sgml @@ -93,6 +93,7 @@ for various environments. &BROWSING; &SecuringSamba; &unicode; +&locking; -- cgit From ee399b147b37048ca21e715e41e069032ee0688f Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Mon, 21 Apr 2003 16:16:50 +0000 Subject: Add question about scope id's (This used to be commit 2c258e5951aa35fc85b92cbf6d0b7ae1cbe8feb4) --- docs/docbook/faq/config.sgml | 12 ++++++++++++ docs/docbook/faq/general.sgml | 41 +---------------------------------------- docs/docbook/faq/printing.sgml | 1 + 3 files changed, 14 insertions(+), 40 deletions(-) (limited to 'docs/docbook') diff --git a/docs/docbook/faq/config.sgml b/docs/docbook/faq/config.sgml index db27102cdf..2c17c86c4e 100644 --- a/docs/docbook/faq/config.sgml +++ b/docs/docbook/faq/config.sgml @@ -22,4 +22,16 @@ add users to this database using "smbpasswd -a user-name". See also the "User database" chapter of the samba HOWTO Collection. + + +How can I make samba use netbios scope ID's + +By default Samba uses a blank scope ID. This means +all your windows boxes must also have a blank scope ID. +If you really want to use a non-blank scope ID then you will +need to use the 'netbios scope' smb.conf option. +All your PCs will need to have the same setting for +this to work. Scope ID's are not recommended. + + diff --git a/docs/docbook/faq/general.sgml b/docs/docbook/faq/general.sgml index 3f7c2074f9..54c620b382 100644 --- a/docs/docbook/faq/general.sgml +++ b/docs/docbook/faq/general.sgml @@ -35,7 +35,7 @@ unstable, and a series of alpha releases are distributed, for example doing. The "alpha" in the filename will hopefully scare off those who are just looking for the latest version to install. -When Andrew thinks that the alphas have stabilised to the point +When the release manager, currently Jerry, thinks that the alphas have stabilised to the point where he would recommend new users install it, he renames it to the same version number without the alpha, for example 1.9.16. @@ -128,43 +128,4 @@ Look at the samba mailing list - -Pizza supply details - -Those who have registered in the Samba survey as "Pizza Factory" will -already know this, but the rest may need some help. Andrew doesn't ask -for payment, but he does appreciate it when people give him -pizza. This calls for a little organisation when the pizza donor is -twenty thousand kilometres away, but it has been done. - - - -Method 1: Ring up your local branch of an international pizza chain -and see if they honour their vouchers internationally. Pizza Hut do, -which is how the entire Canberra Linux Users Group got to eat pizza -one night, courtesy of someone in the US. - - - -Method 2: Ring up a local pizza shop in Canberra and quote a credit -card number for a certain amount, and tell them that Andrew will be -collecting it (don't forget to tell him.) One kind soul from Germany -did this. - - - -Method 3: Purchase a pizza voucher from your local pizza shop that has -no international affiliations and send it to Andrew. It is completely -useless but he can hang it on the wall next to the one he already has -from Germany :-) - - - -Method 4: Air freight him a pizza with your favourite regional -flavours. It will probably get stuck in customs or torn apart by -hungry sniffer dogs but it will have been a noble gesture. - - - - diff --git a/docs/docbook/faq/printing.sgml b/docs/docbook/faq/printing.sgml index 4a58c385bb..be2acbd905 100644 --- a/docs/docbook/faq/printing.sgml +++ b/docs/docbook/faq/printing.sgml @@ -1,4 +1,5 @@ + RonanWaide -- cgit From cca63db35b2b20c823b57e0487c67325d29989e1 Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Mon, 21 Apr 2003 16:25:38 +0000 Subject: Replacing file with correct version. (This used to be commit f0dc3e6da89728259ed5e10cb7f9193c711f65fc) --- docs/docbook/projdoc/NT4Migration.sgml | 103 --------------------------------- 1 file changed, 103 deletions(-) (limited to 'docs/docbook') diff --git a/docs/docbook/projdoc/NT4Migration.sgml b/docs/docbook/projdoc/NT4Migration.sgml index 5799841feb..84719b9a94 100644 --- a/docs/docbook/projdoc/NT4Migration.sgml +++ b/docs/docbook/projdoc/NT4Migration.sgml @@ -492,109 +492,6 @@ Authentication - -Migration Options - - -There are 3 major Site Types: - - - -<= 50 Users -Want simple conversion with NO pain -50 - 250 Users -Want new features, can manage some in-house complexity -Large Scale Sites -Solution / Implementation MUST scale well, complex needs -Cross departmental decision process -Local expertise in most areas -Planning for Success -Decide which approach is needed - 3 Choices -Simple Conversion (total replacement) -Upgraded Conversion (could be one of integration) -Complete Redesign (completely new solution) -Take sufficient time -Avoid Panic -Test ALL assumptions -Test full roll-out program, including workstation deployment -Simple Conversion -Make use of minimal OS specific features -Can use No Unix Accounts Option -Suck all accounts from NT4 into Samba-3 -Make least number of operational changes -Take least amount of time to migrate -Live versus Isolated Conversion -Integrate Samba-3 then migrate while users are active -Change of control (ie: swap out) -Upgraded Conversion -Translate NT4 features to new host OS features -Copy and improve -Old environment to Samba-3 -Make progressive improvements -Minimise user impact -Macimise functionality -Take advantage of lower maintenance opportunity -Complete Network Redesign -Decide -Authentication Regime (database locate and access) -Desktop Management Methods -Better Control of Desktops / Users -Identify Needs for: -Manageability, Scalability, Security, Availability -Samba Implementation Choices -Authentication database back end -Winbind (external Samba or NT4/200x server) -Can use pam_mkhomedir.so to auto-create home dirs -External server could use Active Directory or NT4 Domain -Database type -smbpasswd, tdbsam, ldapsam, MySQLsam -With local accounts or with No Unix Accounts (NUA option) -Samba Implementation Choice - II -Access Control Points -On the Share itself (Use NT4 Server Manager) -On the file system -Unix permissions on files and directories -Posix ACLs enablement in file system? -Through Samba share parameters -Not recommended - except as only resort -Samba Implementation Choice - III -Policies (migrate or create new ones) -Group Policy Editor (NT4) -Watch out for Tattoo effect -User and Group Profiles -Platform specific so use platform tool to change from a Local to a Roaming profile -Can use new profiles tool to change SIDs (NTUser.DAT) -Logon Scripts (Know how they work) -Samba Implementation Choices - IV -User and Group mapping to Unix/Linux -username map facility may be needed -Use smbgroupedit to connect NT4 groups to Unix groups -Use pdbedit to set/change user configuration -NOTE: -If migrating to LDAP back end it may be easier to dump initial LDAP database to LDIF, then edit, then reload into LDAP -Samba Implementation Choices - V -OS specific scripts / programs may be needed -Add / delete Users -Note OS limits on size of name (Linux 8 chars) -NT4 up to 254 chars -Add / delete machines -Applied only to domain members (note up to 16 chars) -Add / delete Groups -Note OS limits on size and nature -Linux limit is 16 char, no spaces and no upper case chars (groupadd) -Migration Tools -Domain Control (NT4 Style) -Profiles, Policies, Access Controls, Security -Migration Tools -Samba: net, rpcclient, smbpasswd, pdbedit, smbgroupedit, profiles -Windows: NT4 Domain User Manager, Server Manager (NEXUS) -Authentication -New SAM back end (smbpasswd, tdbsam, ldapsam, mysqlsam) -With of without Unix Accounts (NUA) - - - - Managing Samba-3 Domain Control -- cgit From 3ac50a125e27911ec29f1c637417fa9ae1612a86 Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Mon, 21 Apr 2003 20:00:38 +0000 Subject: Merged the two browsing documents into one. Added locking module to global.ent file. (This used to be commit 1027525be23e7db97677e2ed3e2706d271ad0a0b) --- docs/docbook/global.ent | 7 +- docs/docbook/projdoc/Browsing-Quickguide.sgml | 416 -------- docs/docbook/projdoc/Browsing.sgml | 807 ---------------- docs/docbook/projdoc/NetworkBrowsing.sgml | 1288 +++++++++++++++++++++++++ docs/docbook/projdoc/samba-doc.sgml | 3 +- 5 files changed, 1292 insertions(+), 1229 deletions(-) delete mode 100644 docs/docbook/projdoc/Browsing-Quickguide.sgml delete mode 100644 docs/docbook/projdoc/Browsing.sgml create mode 100644 docs/docbook/projdoc/NetworkBrowsing.sgml (limited to 'docs/docbook') diff --git a/docs/docbook/global.ent b/docs/docbook/global.ent index c69b72d8a6..dcef1084d6 100644 --- a/docs/docbook/global.ent +++ b/docs/docbook/global.ent @@ -407,8 +407,7 @@ an Active Directory environment. - - + @@ -451,8 +450,7 @@ an Active Directory environment. - - + @@ -463,6 +461,7 @@ an Active Directory environment. + diff --git a/docs/docbook/projdoc/Browsing-Quickguide.sgml b/docs/docbook/projdoc/Browsing-Quickguide.sgml deleted file mode 100644 index d8df57dcb9..0000000000 --- a/docs/docbook/projdoc/Browsing-Quickguide.sgml +++ /dev/null @@ -1,416 +0,0 @@ - - - &author.jht; - July 5, 1998 - Updated: March 15, 2003 - - -Quick Cross Subnet Browsing / Cross Workgroup Browsing guide - - -This document should be read in conjunction with Browsing and may -be taken as the fast track guide to implementing browsing across subnets -and / or across workgroups (or domains). WINS is the best tool for resolution -of NetBIOS names to IP addesses. WINS is NOT involved in browse list handling -except by way of name to address mapping. - - - -MS Windows 2000 and later can be configured to operate with NO NetBIOS -over TCP/IP. Samba-3 and later also supports this mode of operation. - - - - -Discussion - - -Firstly, all MS Windows networking is based on SMB (Server Message -Block) based messaging. SMB messaging may be implemented using NetBIOS or -without NetBIOS. Samba implements NetBIOS by encapsulating it over TCP/IP. -MS Windows products can do likewise. NetBIOS based networking uses broadcast -messaging to affect browse list management. When running NetBIOS over -TCP/IP this uses UDP based messaging. UDP messages can be broadcast or unicast. - - - -Normally, only unicast UDP messaging can be forwarded by routers. The -remote announce -parameter to smb.conf helps to project browse announcements -to remote network segments via unicast UDP. Similarly, the -remote browse sync parameter of smb.conf -implements browse list collation using unicast UDP. - - - -Secondly, in those networks where Samba is the only SMB server technology -wherever possible &nmbd; should be configured on one (1) machine as the WINS -server. This makes it easy to manage the browsing environment. If each network -segment is configured with it's own Samba WINS server, then the only way to -get cross segment browsing to work is by using the -remote announce and the remote browse sync -parameters to your smb.conf file. - - - -If only one WINS server is used for an entire multi-segment network then -the use of the remote announce and the -remote browse sync parameters should NOT be necessary. - - - -As of Samba 3 WINS replication is being worked on. The bulk of the code has -been committed, but it still needs maturation. - - - -Right now samba WINS does not support MS-WINS replication. This means that -when setting up Samba as a WINS server there must only be one &nmbd; configured -as a WINS server on the network. Some sites have used multiple Samba WINS -servers for redundancy (one server per subnet) and then used -remote browse sync and remote announce -to affect browse list collation across all -segments. Note that this means clients will only resolve local names, -and must be configured to use DNS to resolve names on other subnets in -order to resolve the IP addresses of the servers they can see on other -subnets. This setup is not recommended, but is mentioned as a practical -consideration (ie: an 'if all else fails' scenario). - - - -Lastly, take note that browse lists are a collection of unreliable broadcast -messages that are repeated at intervals of not more than 15 minutes. This means -that it will take time to establish a browse list and it can take up to 45 -minutes to stabilise, particularly across network segments. - - - - - -How browsing functions and how to deploy stable and -dependable browsing using Samba - - - -As stated above, MS Windows machines register their NetBIOS names -(i.e.: the machine name for each service type in operation) on start -up. Also, as stated above, the exact method by which this name registration -takes place is determined by whether or not the MS Windows client/server -has been given a WINS server address, whether or not LMHOSTS lookup -is enabled, or if DNS for NetBIOS name resolution is enabled, etc. - - - -In the case where there is no WINS server all name registrations as -well as name lookups are done by UDP broadcast. This isolates name -resolution to the local subnet, unless LMHOSTS is used to list all -names and IP addresses. In such situations Samba provides a means by -which the samba server name may be forcibly injected into the browse -list of a remote MS Windows network (using the -remote announce parameter). - - - -Where a WINS server is used, the MS Windows client will use UDP -unicast to register with the WINS server. Such packets can be routed -and thus WINS allows name resolution to function across routed networks. - - - -During the startup process an election will take place to create a -local master browser if one does not already exist. On each NetBIOS network -one machine will be elected to function as the domain master browser. This -domain browsing has nothing to do with MS security domain control. -Instead, the domain master browser serves the role of contacting each local -master browser (found by asking WINS or from LMHOSTS) and exchanging browse -list contents. This way every master browser will eventually obtain a complete -list of all machines that are on the network. Every 11-15 minutes an election -is held to determine which machine will be the master browser. By the nature of -the election criteria used, the machine with the highest uptime, or the -most senior protocol version, or other criteria, will win the election -as domain master browser. - - - -Clients wishing to browse the network make use of this list, but also depend -on the availability of correct name resolution to the respective IP -address/addresses. - - - -Any configuration that breaks name resolution and/or browsing intrinsics -will annoy users because they will have to put up with protracted -inability to use the network services. - - - -Samba supports a feature that allows forced synchonisation -of browse lists across routed networks using the remote -browse sync parameter in the smb.conf file. -This causes Samba to contact the local master browser on a remote network and -to request browse list synchronisation. This effectively bridges -two networks that are separated by routers. The two remote -networks may use either broadcast based name resolution or WINS -based name resolution, but it should be noted that the remote -browse sync parameter provides browse list synchronisation - and -that is distinct from name to address resolution, in other -words, for cross subnet browsing to function correctly it is -essential that a name to address resolution mechanism be provided. -This mechanism could be via DNS, /etc/hosts, -and so on. - - - - - -Use of the <command>Remote Announce</command> parameter - -The remote announce parameter of -smb.conf can be used to forcibly ensure -that all the NetBIOS names on a network get announced to a remote network. -The syntax of the remote announce parameter is: - - remote announce = a.b.c.d [e.f.g.h] ... - -_or_ - - remote announce = a.b.c.d/WORKGROUP [e.f.g.h/WORKGROUP] ... - - -where: - -a.b.c.d and -e.f.g.h -is either the LMB (Local Master Browser) IP address -or the broadcst address of the remote network. -ie: the LMB is at 192.168.1.10, or the address -could be given as 192.168.1.255 where the netmask -is assumed to be 24 bits (255.255.255.0). -When the remote announcement is made to the broadcast -address of the remote network every host will receive -our announcements. This is noisy and therefore -undesirable but may be necessary if we do NOT know -the IP address of the remote LMB. - - - -WORKGROUP -is optional and can be either our own workgroup -or that of the remote network. If you use the -workgroup name of the remote network then our -NetBIOS machine names will end up looking like -they belong to that workgroup, this may cause -name resolution problems and should be avoided. - - - - - - - - -Use of the <command>Remote Browse Sync</command> parameter - - -The remote browse sync parameter of -smb.conf is used to announce to -another LMB that it must synchronise it's NetBIOS name list with our -Samba LMB. It works ONLY if the Samba server that has this option is -simultaneously the LMB on it's network segment. - - - -The syntax of the remote browse sync parameter is: - - -remote browse sync = a.b.c.d - - -where a.b.c.d is either the IP address of the remote LMB or else is the network broadcast address of the remote segment. - - - - - -Use of WINS - - -Use of WINS (either Samba WINS _or_ MS Windows NT Server WINS) is highly -recommended. Every NetBIOS machine registers it's name together with a -name_type value for each of of several types of service it has available. -eg: It registers it's name directly as a unique (the type 0x03) name. -It also registers it's name if it is running the lanmanager compatible -server service (used to make shares and printers available to other users) -by registering the server (the type 0x20) name. - - - -All NetBIOS names are up to 15 characters in length. The name_type variable -is added to the end of the name - thus creating a 16 character name. Any -name that is shorter than 15 characters is padded with spaces to the 15th -character. ie: All NetBIOS names are 16 characters long (including the -name_type information). - - - -WINS can store these 16 character names as they get registered. A client -that wants to log onto the network can ask the WINS server for a list -of all names that have registered the NetLogon service name_type. This saves -broadcast traffic and greatly expedites logon processing. Since broadcast -name resolution can not be used across network segments this type of -information can only be provided via WINS _or_ via statically configured -lmhosts files that must reside on all clients in the -absence of WINS. - - - -WINS also serves the purpose of forcing browse list synchronisation by all -LMB's. LMB's must synchronise their browse list with the DMB (domain master -browser) and WINS helps the LMB to identify it's DMB. By definition this -will work only within a single workgroup. Note that the domain master browser -has NOTHING to do with what is referred to as an MS Windows NT Domain. The -later is a reference to a security environment while the DMB refers to the -master controller for browse list information only. - - - -Use of WINS will work correctly only if EVERY client TCP/IP protocol stack -has been configured to use the WINS server/s. Any client that has not been -configured to use the WINS server will continue to use only broadcast based -name registration so that WINS may NEVER get to know about it. In any case, -machines that have not registered with a WINS server will fail name to address -lookup attempts by other clients and will therefore cause workstation access -errors. - - - -To configure Samba as a WINS server just add -wins support = yes to the smb.conf -file [globals] section. - - - -To configure Samba to register with a WINS server just add -"wins server = a.b.c.d" to your smb.conf file [globals] section. - - - -Never use both wins support = yes together -with wins server = a.b.c.d -particularly not using it's own IP address. -Specifying both will cause &nmbd; to refuse to start! - - - -WINS Replication - - -Samba-3 permits WINS replication through the use of the wrepld utility. -This tool is not currently capable of being used as it is still in active development. -As soon as this tool becomes moderately functional we will prepare man pages and enhance this -section of the documentation to provide usage and technical details. - - - - -Static WINS Entries - - -New to Samba-3 is a tool called winsedit that may be used to add -static WINS entries to the WINS database. This tool can be used also to modify entries -existing in the WINS database. - - - -The development of the winsedit tool was made necessary due to the migration -of the older style wins.dat file into a new tdb binary backend data store. - - - - - - -Do NOT use more than one (1) protocol on MS Windows machines - - -A very common cause of browsing problems results from installing more than -one protocol on an MS Windows machine. - - - -Every NetBIOS machine takes part in a process of electing the LMB (and DMB) -every 15 minutes. A set of election criteria is used to determine the order -of precidence for winning this election process. A machine running Samba or -Windows NT will be biased so that the most suitable machine will predictably -win and thus retain it's role. - - - -The election process is "fought out" so to speak over every NetBIOS network -interface. In the case of a Windows 9x machine that has both TCP/IP and IPX -installed and has NetBIOS enabled over both protocols the election will be -decided over both protocols. As often happens, if the Windows 9x machine is -the only one with both protocols then the LMB may be won on the NetBIOS -interface over the IPX protocol. Samba will then lose the LMB role as Windows -9x will insist it knows who the LMB is. Samba will then cease to function -as an LMB and thus browse list operation on all TCP/IP only machines will -fail. - - - -Windows 95, 98, 98se, Me are referred to generically as Windows 9x. -The Windows NT4, 2000, XP and 2003 use common protocols. These are roughly -referred to as the WinNT family, but it should be recognised that 2000 and -XP/2003 introduce new protocol extensions that cause them to behave -differently from MS Windows NT4. Generally, where a server does NOT support -the newer or extended protocol, these will fall back to the NT4 protocols. - - - -The safest rule of all to follow it this - USE ONLY ONE PROTOCOL! - - - - - -Name Resolution Order - - -Resolution of NetBIOS names to IP addresses can take place using a number -of methods. The only ones that can provide NetBIOS name_type information -are: - - -WINS: the best tool! -LMHOSTS: is static and hard to maintain. -Broadcast: uses UDP and can not resolve names across remote segments. - - - -Alternative means of name resolution includes: - -/etc/hosts: is static, hard to maintain, and lacks name_type info -DNS: is a good choice but lacks essential name_type info. - - - -Many sites want to restrict DNS lookups and want to avoid broadcast name -resolution traffic. The "name resolve order" parameter is of great help here. -The syntax of the "name resolve order" parameter is: - -name resolve order = wins lmhosts bcast host - -_or_ - -name resolve order = wins lmhosts (eliminates bcast and host) - -The default is: - -name resolve order = host lmhost wins bcast -. -where "host" refers the the native methods used by the Unix system -to implement the gethostbyname() function call. This is normally -controlled by /etc/host.conf, /etc/nsswitch.conf and /etc/resolv.conf. - - - diff --git a/docs/docbook/projdoc/Browsing.sgml b/docs/docbook/projdoc/Browsing.sgml deleted file mode 100644 index ca2f6dc57b..0000000000 --- a/docs/docbook/projdoc/Browsing.sgml +++ /dev/null @@ -1,807 +0,0 @@ - - - - - Samba Team - - - - (5 July 1998) - - -Improved browsing in samba - - -Overview of browsing - - -SMB networking provides a mechanism by which clients can access a list -of machines in a network, a so-called browse list. This list -contains machines that are ready to offer file and/or print services -to other machines within the network. Thus it does not include -machines which aren't currently able to do server tasks. The browse -list is heavily used by all SMB clients. Configuration of SMB -browsing has been problematic for some Samba users, hence this -document. - - - -MS Windows 2000 and later, as with Samba 3 and later, can be -configured to not use NetBIOS over TCP/IP. When configured this way -it is imperative that name resolution (using DNS/LDAP/ADS) be correctly -configured and operative. Browsing will NOT work if name resolution -from SMB machine names to IP addresses does not function correctly. - - - -Where NetBIOS over TCP/IP is enabled use of a WINS server is highly -recommended to aid the resolution of NetBIOS (SMB) names to IP addresses. -WINS allows remote segment clients to obtain NetBIOS name_type information -that can NOT be provided by any other means of name resolution. - - - - - -Browsing support in samba - - -Samba facilitates browsing. The browsing is supported by &nmbd; -and is also controlled by options in the &smb.conf; file. -Samba can act as a local browse master for a workgroup and the ability -for samba to support domain logons and scripts is now available. - - - -Samba can also act as a domain master browser for a workgroup. This -means that it will collate lists from local browse masters into a -wide area network server list. In order for browse clients to -resolve the names they may find in this list, it is recommended that -both samba and your clients use a WINS server. - - - -Note that you should NOT set Samba to be the domain master for a -workgroup that has the same name as an NT Domain: on each wide area -network, you must only ever have one domain master browser per workgroup, -regardless of whether it is NT, Samba or any other type of domain master -that is providing this service. - - - -Nmbd can be configured as a WINS server, but it is not -necessary to specifically use samba as your WINS server. MS Windows -NT4, Server or Advanced Server 2000 or 2003 can be configured as -your WINS server. In a mixed NT/2000/2003 server and samba environment on -a Wide Area Network, it is recommended that you use the Microsoft -WINS server capabilities. In a samba-only environment, it is -recommended that you use one and only one Samba server as your WINS server. - - - -To get browsing to work you need to run nmbd as usual, but will need -to use the workgroup option in &smb.conf; -to control what workgroup Samba becomes a part of. - - - -Samba also has a useful option for a Samba server to offer itself for -browsing on another subnet. It is recommended that this option is only -used for 'unusual' purposes: announcements over the internet, for -example. See remote announce in the -&smb.conf; man page. - - - - -Problem resolution - - -If something doesn't work then hopefully the log.nmb file will help -you track down the problem. Try a debug level of 2 or 3 for finding -problems. Also note that the current browse list usually gets stored -in text form in a file called browse.dat. - - - -Note that if it doesn't work for you, then you should still be able to -type the server name as \\SERVER in filemanager then -hit enter and filemanager should display the list of available shares. - - - -Some people find browsing fails because they don't have the global -guest account set to a valid account. Remember that the -IPC$ connection that lists the shares is done as guest, and thus you must -have a valid guest account. - - - -MS Windows 2000 and upwards (as with Samba) can be configured to disallow -anonymous (ie: Guest account) access to the IPC$ share. In that case, the -MS Windows 2000/XP/2003 machine acting as an SMB/CIFS client will use the -name of the currently logged in user to query the IPC$ share. MS Windows -9X clients are not able to do this and thus will NOT be able to browse -server resources. - - - -The other big problem people have is that their broadcast address, -netmask or IP address is wrong (specified with the "interfaces" option -in &smb.conf;) - - - - -Browsing across subnets - -Since the release of Samba 1.9.17(alpha1) Samba has been -updated to enable it to support the replication of browse lists -across subnet boundaries. New code and options have been added to -achieve this. This section describes how to set this feature up -in different settings. - - - -To see browse lists that span TCP/IP subnets (ie. networks separated -by routers that don't pass broadcast traffic) you must set up at least -one WINS server. The WINS server acts as a DNS for NetBIOS names, allowing -NetBIOS name to IP address translation to be done by doing a direct -query of the WINS server. This is done via a directed UDP packet on -port 137 to the WINS server machine. The reason for a WINS server is -that by default, all NetBIOS name to IP address translation is done -by broadcasts from the querying machine. This means that machines -on one subnet will not be able to resolve the names of machines on -another subnet without using a WINS server. - - - -Remember, for browsing across subnets to work correctly, all machines, -be they Windows 95, Windows NT, or Samba servers must have the IP address -of a WINS server given to them by a DHCP server, or by manual configuration -(for Win95 and WinNT, this is in the TCP/IP Properties, under Network -settings) for Samba this is in the &smb.conf; file. - - - -How does cross subnet browsing work ? - - -Cross subnet browsing is a complicated dance, containing multiple -moving parts. It has taken Microsoft several years to get the code -that achieves this correct, and Samba lags behind in some areas. -Samba is capable of cross subnet browsing when configured correctly. - - - -Consider a network set up as follows : - - - - - (DMB) - N1_A N1_B N1_C N1_D N1_E - | | | | | - ------------------------------------------------------- - | subnet 1 | - +---+ +---+ - |R1 | Router 1 Router 2 |R2 | - +---+ +---+ - | | - | subnet 2 subnet 3 | - -------------------------- ------------------------------------ - | | | | | | | | - N2_A N2_B N2_C N2_D N3_A N3_B N3_C N3_D - (WINS) - - - - -Consisting of 3 subnets (1, 2, 3) connected by two routers -(R1, R2) - these do not pass broadcasts. Subnet 1 has 5 machines -on it, subnet 2 has 4 machines, subnet 3 has 4 machines. Assume -for the moment that all these machines are configured to be in the -same workgroup (for simplicities sake). Machine N1_C on subnet 1 -is configured as Domain Master Browser (ie. it will collate the -browse lists for the workgroup). Machine N2_D is configured as -WINS server and all the other machines are configured to register -their NetBIOS names with it. - - - -As all these machines are booted up, elections for master browsers -will take place on each of the three subnets. Assume that machine -N1_C wins on subnet 1, N2_B wins on subnet 2, and N3_D wins on -subnet 3 - these machines are known as local master browsers for -their particular subnet. N1_C has an advantage in winning as the -local master browser on subnet 1 as it is set up as Domain Master -Browser. - - - -On each of the three networks, machines that are configured to -offer sharing services will broadcast that they are offering -these services. The local master browser on each subnet will -receive these broadcasts and keep a record of the fact that -the machine is offering a service. This list of records is -the basis of the browse list. For this case, assume that -all the machines are configured to offer services so all machines -will be on the browse list. - - - -For each network, the local master browser on that network is -considered 'authoritative' for all the names it receives via -local broadcast. This is because a machine seen by the local -master browser via a local broadcast must be on the same -network as the local master browser and thus is a 'trusted' -and 'verifiable' resource. Machines on other networks that -the local master browsers learn about when collating their -browse lists have not been directly seen - these records are -called 'non-authoritative'. - - - -At this point the browse lists look as follows (these are -the machines you would see in your network neighborhood if -you looked in it on a particular network right now). - - - - -Subnet Browse Master List ------- ------------- ---- -Subnet1 N1_C N1_A, N1_B, N1_C, N1_D, N1_E - -Subnet2 N2_B N2_A, N2_B, N2_C, N2_D - -Subnet3 N3_D N3_A, N3_B, N3_C, N3_D - - - - -Note that at this point all the subnets are separate, no -machine is seen across any of the subnets. - - - -Now examine subnet 2. As soon as N2_B has become the local -master browser it looks for a Domain master browser to synchronize -its browse list with. It does this by querying the WINS server -(N2_D) for the IP address associated with the NetBIOS name -WORKGROUP>1B<. This name was registerd by the Domain master -browser (N1_C) with the WINS server as soon as it was booted. - - - -Once N2_B knows the address of the Domain master browser it -tells it that is the local master browser for subnet 2 by -sending a MasterAnnouncement packet as a UDP port 138 packet. -It then synchronizes with it by doing a NetServerEnum2 call. This -tells the Domain Master Browser to send it all the server -names it knows about. Once the domain master browser receives -the MasterAnnouncement packet it schedules a synchronization -request to the sender of that packet. After both synchronizations -are done the browse lists look like : - - - - -Subnet Browse Master List ------- ------------- ---- -Subnet1 N1_C N1_A, N1_B, N1_C, N1_D, N1_E, - N2_A(*), N2_B(*), N2_C(*), N2_D(*) - -Subnet2 N2_B N2_A, N2_B, N2_C, N2_D - N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*) - -Subnet3 N3_D N3_A, N3_B, N3_C, N3_D - -Servers with a (*) after them are non-authoritative names. - - - - -At this point users looking in their network neighborhood on -subnets 1 or 2 will see all the servers on both, users on -subnet 3 will still only see the servers on their own subnet. - - - -The same sequence of events that occured for N2_B now occurs -for the local master browser on subnet 3 (N3_D). When it -synchronizes browse lists with the domain master browser (N1_A) -it gets both the server entries on subnet 1, and those on -subnet 2. After N3_D has synchronized with N1_C and vica-versa -the browse lists look like. - - - - -Subnet Browse Master List ------- ------------- ---- -Subnet1 N1_C N1_A, N1_B, N1_C, N1_D, N1_E, - N2_A(*), N2_B(*), N2_C(*), N2_D(*), - N3_A(*), N3_B(*), N3_C(*), N3_D(*) - -Subnet2 N2_B N2_A, N2_B, N2_C, N2_D - N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*) - -Subnet3 N3_D N3_A, N3_B, N3_C, N3_D - N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*), - N2_A(*), N2_B(*), N2_C(*), N2_D(*) - -Servers with a (*) after them are non-authoritative names. - - - - -At this point users looking in their network neighborhood on -subnets 1 or 3 will see all the servers on all sunbets, users on -subnet 2 will still only see the servers on subnets 1 and 2, but not 3. - - - -Finally, the local master browser for subnet 2 (N2_B) will sync again -with the domain master browser (N1_C) and will recieve the missing -server entries. Finally - and as a steady state (if no machines -are removed or shut off) the browse lists will look like : - - - - -Subnet Browse Master List ------- ------------- ---- -Subnet1 N1_C N1_A, N1_B, N1_C, N1_D, N1_E, - N2_A(*), N2_B(*), N2_C(*), N2_D(*), - N3_A(*), N3_B(*), N3_C(*), N3_D(*) - -Subnet2 N2_B N2_A, N2_B, N2_C, N2_D - N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*) - N3_A(*), N3_B(*), N3_C(*), N3_D(*) - -Subnet3 N3_D N3_A, N3_B, N3_C, N3_D - N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*), - N2_A(*), N2_B(*), N2_C(*), N2_D(*) - -Servers with a (*) after them are non-authoritative names. - - - - -Synchronizations between the domain master browser and local -master browsers will continue to occur, but this should be a -steady state situation. - - - -If either router R1 or R2 fails the following will occur: - - - - - - Names of computers on each side of the inaccessible network fragments - will be maintained for as long as 36 minutes, in the network neighbourhood - lists. - - - - - - Attempts to connect to these inaccessible computers will fail, but the - names will not be removed from the network neighbourhood lists. - - - - - - If one of the fragments is cut off from the WINS server, it will only - be able to access servers on its local subnet, by using subnet-isolated - broadcast NetBIOS name resolution. The effects are similar to that of - losing access to a DNS server. - - - - - - - -Setting up a WINS server - - -Either a Samba machine or a Windows NT Server machine may be set up -as a WINS server. To set a Samba machine to be a WINS server you must -add the following option to the &smb.conf; file on the selected machine : -in the [globals] section add the line - - - - wins support = yes - - - -Versions of Samba prior to 1.9.17 had this parameter default to -yes. If you have any older versions of Samba on your network it is -strongly suggested you upgrade to a recent version, or at the very -least set the parameter to 'no' on all these machines. - - - -Machines with wins support = yes will keep a list of -all NetBIOS names registered with them, acting as a DNS for NetBIOS names. - - - -You should set up only ONE wins server. Do NOT set the -wins support = yes option on more than one Samba -server. - - - -To set up a Windows NT Server as a WINS server you need to set up -the WINS service - see your NT documentation for details. Note that -Windows NT WINS Servers can replicate to each other, allowing more -than one to be set up in a complex subnet environment. As Microsoft -refuse to document these replication protocols Samba cannot currently -participate in these replications. It is possible in the future that -a Samba->Samba WINS replication protocol may be defined, in which -case more than one Samba machine could be set up as a WINS server -but currently only one Samba server should have the -wins support = yes parameter set. - - - -After the WINS server has been configured you must ensure that all -machines participating on the network are configured with the address -of this WINS server. If your WINS server is a Samba machine, fill in -the Samba machine IP address in the "Primary WINS Server" field of -the "Control Panel->Network->Protocols->TCP->WINS Server" dialogs -in Windows 95 or Windows NT. To tell a Samba server the IP address -of the WINS server add the following line to the [global] section of -all &smb.conf; files : - - - -wins server = >name or IP address< - - - -where >name or IP address< is either the DNS name of the WINS server -machine or its IP address. - - - -Note that this line MUST NOT BE SET in the &smb.conf; file of the Samba -server acting as the WINS server itself. If you set both the -wins support = yes option and the -wins server = <name> option then -nmbd will fail to start. - - - -There are two possible scenarios for setting up cross subnet browsing. -The first details setting up cross subnet browsing on a network containing -Windows 95, Samba and Windows NT machines that are not configured as -part of a Windows NT Domain. The second details setting up cross subnet -browsing on networks that contain NT Domains. - - - - - -Setting up Browsing in a WORKGROUP - - -To set up cross subnet browsing on a network containing machines -in up to be in a WORKGROUP, not an NT Domain you need to set up one -Samba server to be the Domain Master Browser (note that this is *NOT* -the same as a Primary Domain Controller, although in an NT Domain the -same machine plays both roles). The role of a Domain master browser is -to collate the browse lists from local master browsers on all the -subnets that have a machine participating in the workgroup. Without -one machine configured as a domain master browser each subnet would -be an isolated workgroup, unable to see any machines on any other -subnet. It is the presense of a domain master browser that makes -cross subnet browsing possible for a workgroup. - - - -In an WORKGROUP environment the domain master browser must be a -Samba server, and there must only be one domain master browser per -workgroup name. To set up a Samba server as a domain master browser, -set the following option in the [global] section of the &smb.conf; file : - - - -domain master = yes - - - -The domain master browser should also preferrably be the local master -browser for its own subnet. In order to achieve this set the following -options in the [global] section of the &smb.conf; file : - - - - -domain master = yes -local master = yes -preferred master = yes -os level = 65 - - - - -The domain master browser may be the same machine as the WINS -server, if you require. - - - -Next, you should ensure that each of the subnets contains a -machine that can act as a local master browser for the -workgroup. Any MS Windows NT/2K/XP/2003 machine should be -able to do this, as will Windows 9x machines (although these -tend to get rebooted more often, so it's not such a good idea -to use these). To make a Samba server a local master browser -set the following options in the [global] section of the -&smb.conf; file : - - - - -domain master = no -local master = yes -preferred master = yes -os level = 65 - - - - -Do not do this for more than one Samba server on each subnet, -or they will war with each other over which is to be the local -master browser. - - - -The local master parameter allows Samba to act as a -local master browser. The preferred master causes nmbd -to force a browser election on startup and the os level -parameter sets Samba high enough so that it should win any browser elections. - - - -If you have an NT machine on the subnet that you wish to -be the local master browser then you can disable Samba from -becoming a local master browser by setting the following -options in the [global] section of the -&smb.conf; file : - - - - -domain master = no -local master = no -preferred master = no -os level = 0 - - - - - - -Setting up Browsing in a DOMAIN - - -If you are adding Samba servers to a Windows NT Domain then -you must not set up a Samba server as a domain master browser. -By default, a Windows NT Primary Domain Controller for a Domain -name is also the Domain master browser for that name, and many -things will break if a Samba server registers the Domain master -browser NetBIOS name (DOMAIN<1B>) -with WINS instead of the PDC. - - - -For subnets other than the one containing the Windows NT PDC -you may set up Samba servers as local master browsers as -described. To make a Samba server a local master browser set -the following options in the [global] section -of the &smb.conf; file : - - - - -domain master = no -local master = yes -preferred master = yes -os level = 65 - - - - -If you wish to have a Samba server fight the election with machines -on the same subnet you may set the os level parameter -to lower levels. By doing this you can tune the order of machines that -will become local master browsers if they are running. For -more details on this see the section -Forcing samba to be the master browser -below. - - - -If you have Windows NT machines that are members of the domain -on all subnets, and you are sure they will always be running then -you can disable Samba from taking part in browser elections and -ever becoming a local master browser by setting following options -in the [global] section of the &smb.conf; -file : - - - - - domain master = no - local master = no - preferred master = no - os level = 0 - - - - - - -Forcing samba to be the master - - -Who becomes the master browser is determined by an election -process using broadcasts. Each election packet contains a number of parameters -which determine what precedence (bias) a host should have in the -election. By default Samba uses a very low precedence and thus loses -elections to just about anyone else. - - - -If you want Samba to win elections then just set the os level global -option in &smb.conf; to a higher number. It defaults to 0. Using 34 -would make it win all elections over every other system (except other -samba systems!) - - - -A os level of 2 would make it beat WfWg and Win95, but not MS Windows -NT/2K Server. A MS Windows NT/2K Server domain controller uses level 32. - - -The maximum os level is 255 - - -If you want samba to force an election on startup, then set the -preferred master global option in &smb.conf; to "yes". Samba will -then have a slight advantage over other potential master browsers -that are not preferred master browsers. Use this parameter with -care, as if you have two hosts (whether they are windows 95 or NT or -samba) on the same local subnet both set with preferred master to -"yes", then periodically and continually they will force an election -in order to become the local master browser. - - - -If you want samba to be a domain master browser, then it is -recommended that you also set preferred master to "yes", because -samba will not become a domain master browser for the whole of your -LAN or WAN if it is not also a local master browser on its own -broadcast isolated subnet. - - - -It is possible to configure two samba servers to attempt to become -the domain master browser for a domain. The first server that comes -up will be the domain master browser. All other samba servers will -attempt to become the domain master browser every 5 minutes. They -will find that another samba server is already the domain master -browser and will fail. This provides automatic redundancy, should -the current domain master browser fail. - - - - - -Making samba the domain master - - -The domain master is responsible for collating the browse lists of -multiple subnets so that browsing can occur between subnets. You can -make samba act as the domain master by setting domain master = yes -in &smb.conf;. By default it will not be a domain master. - - - -Note that you should NOT set Samba to be the domain master for a -workgroup that has the same name as an NT Domain. - - - -When samba is the domain master and the master browser it will listen -for master announcements (made roughly every twelve minutes) from local -master browsers on other subnets and then contact them to synchronise -browse lists. - - - -If you want samba to be the domain master then I suggest you also set -the os level high enough to make sure it wins elections, and set -preferred master to "yes", to get samba to force an election on -startup. - - - -Note that all your servers (including samba) and clients should be -using a WINS server to resolve NetBIOS names. If your clients are only -using broadcasting to resolve NetBIOS names, then two things will occur: - - - - - - your local master browsers will be unable to find a domain master - browser, as it will only be looking on the local subnet. - - - - - - if a client happens to get hold of a domain-wide browse list, and - a user attempts to access a host in that list, it will be unable to - resolve the NetBIOS name of that host. - - - - - -If, however, both samba and your clients are using a WINS server, then: - - - - - - your local master browsers will contact the WINS server and, as long as - samba has registered that it is a domain master browser with the WINS - server, your local master browser will receive samba's ip address - as its domain master browser. - - - - - - when a client receives a domain-wide browse list, and a user attempts - to access a host in that list, it will contact the WINS server to - resolve the NetBIOS name of that host. as long as that host has - registered its NetBIOS name with the same WINS server, the user will - be able to see that host. - - - - - - - -Note about broadcast addresses - - -If your network uses a "0" based broadcast address (for example if it -ends in a 0) then you will strike problems. Windows for Workgroups -does not seem to support a 0's broadcast and you will probably find -that browsing and name lookups won't work. - - - - -Multiple interfaces - - -Samba now supports machines with multiple network interfaces. If you -have multiple interfaces then you will need to use the interfaces -option in &smb.conf; to configure them. - - - diff --git a/docs/docbook/projdoc/NetworkBrowsing.sgml b/docs/docbook/projdoc/NetworkBrowsing.sgml new file mode 100644 index 0000000000..c4b6a07777 --- /dev/null +++ b/docs/docbook/projdoc/NetworkBrowsing.sgml @@ -0,0 +1,1288 @@ + + + &author.jht; + July 5, 1998 + Updated: March 15, 2003 + + +Samba / MS Windows Network Browsing Guide + + +This document contains detailed informataion as well as a fast track guide to +implementing browsing across subnets and / or across workgroups (or domains). +WINS is the best tool for resolution of NetBIOS names to IP addesses. WINS is +NOT involved in browse list handling except by way of name to address resolution. + + + +MS Windows 2000 and later can be configured to operate with NO NetBIOS +over TCP/IP. Samba-3 and later also supports this mode of operation. +When the use of NetBIOS over TCP/IP has been disabled then the primary +means for resolution of MS Windows machine names is via DNS and Active Directory. +The following information assumes that your site is running NetBIOS over TCP/IP. + + + +What is Browsing? + + +To most people browsing means that they can see the MS Windows and Samba servers +in the Network Neighborhood, and when the computer icon for a particular server is +clicked, it opens up and shows the shares and printers available on the target server. + + + +What seems so simple is in fact a very complex interaction of different technologies. +The technologies (or methods) employed in making all of this work includes: + + + + MS Windows machines register their presence to the network + Machines announce themselves to other machines on the network + One or more machine on the network collates the local announcements + The client machine finds the machine that has the collated list of machines + The client machine is able to resolve the machine names to IP addresses + The client machine is able to connect to a target machine + + + +The samba application that controls/manages browse list management and name resolution is +called nmbd. The configuration parameters involved in nmbd's operation are: + + + + Browsing options: + ----------------- + * os level + lm announce + lm interval + * preferred master + * local master + * domain master + browse list + enhanced browsing + + Name Resolution Method: + ----------------------- + * name resolve order + + WINS options: + ------------- + dns proxy + wins proxy + * wins server + * wins support + wins hook + + + +WINS Server and WINS Support are mutually exclusive options. Those marked with an '*' are +the only options that commonly MAY need to be modified. Even if not one of these parameters +is set nmbd will still do it's job. + + + + +Discussion + + +Firstly, all MS Windows networking is based on SMB (Server Message +Block) based messaging. SMB messaging may be implemented using NetBIOS or +without NetBIOS. Samba implements NetBIOS by encapsulating it over TCP/IP. +MS Windows products can do likewise. NetBIOS based networking uses broadcast +messaging to affect browse list management. When running NetBIOS over +TCP/IP this uses UDP based messaging. UDP messages can be broadcast or unicast. + + + +Normally, only unicast UDP messaging can be forwarded by routers. The +remote announce +parameter to smb.conf helps to project browse announcements +to remote network segments via unicast UDP. Similarly, the +remote browse sync parameter of smb.conf +implements browse list collation using unicast UDP. + + + +Secondly, in those networks where Samba is the only SMB server technology +wherever possible nmbd should be configured on one (1) machine as the WINS +server. This makes it easy to manage the browsing environment. If each network +segment is configured with it's own Samba WINS server, then the only way to +get cross segment browsing to work is by using the +remote announce and the remote browse sync +parameters to your smb.conf file. + + + +If only one WINS server is used for an entire multi-segment network then +the use of the remote announce and the +remote browse sync parameters should NOT be necessary. + + + +As of Samba 3 WINS replication is being worked on. The bulk of the code has +been committed, but it still needs maturation. + + + +Right now samba WINS does not support MS-WINS replication. This means that +when setting up Samba as a WINS server there must only be one nmbd configured +as a WINS server on the network. Some sites have used multiple Samba WINS +servers for redundancy (one server per subnet) and then used +remote browse sync and remote announce +to affect browse list collation across all +segments. Note that this means clients will only resolve local names, +and must be configured to use DNS to resolve names on other subnets in +order to resolve the IP addresses of the servers they can see on other +subnets. This setup is not recommended, but is mentioned as a practical +consideration (ie: an 'if all else fails' scenario). + + + +Lastly, take note that browse lists are a collection of unreliable broadcast +messages that are repeated at intervals of not more than 15 minutes. This means +that it will take time to establish a browse list and it can take up to 45 +minutes to stabilise, particularly across network segments. + + + + + +How Browsing Functions + + +As stated above, MS Windows machines register their NetBIOS names +(ie: the machine name for each service type in operation) on start +up. Also, as stated above, the exact method by which this name registration +takes place is determined by whether or not the MS Windows client/server +has been given a WINS server address, whether or not LMHOSTS lookup +is enabled, or if DNS for NetBIOS name resolution is enabled, etc. + + + +In the case where there is no WINS server all name registrations as +well as name lookups are done by UDP broadcast. This isolates name +resolution to the local subnet, unless LMHOSTS is used to list all +names and IP addresses. In such situations Samba provides a means by +which the samba server name may be forcibly injected into the browse +list of a remote MS Windows network (using the +remote announce parameter). + + + +Where a WINS server is used, the MS Windows client will use UDP +unicast to register with the WINS server. Such packets can be routed +and thus WINS allows name resolution to function across routed networks. + + + +During the startup process an election will take place to create a +local master browser if one does not already exist. On each NetBIOS network +one machine will be elected to function as the domain master browser. This +domain browsing has nothing to do with MS security domain control. +Instead, the domain master browser serves the role of contacting each local +master browser (found by asking WINS or from LMHOSTS) and exchanging browse +list contents. This way every master browser will eventually obtain a complete +list of all machines that are on the network. Every 11-15 minutes an election +is held to determine which machine will be the master browser. By the nature of +the election criteria used, the machine with the highest uptime, or the +most senior protocol version, or other criteria, will win the election +as domain master browser. + + + +Clients wishing to browse the network make use of this list, but also depend +on the availability of correct name resolution to the respective IP +address/addresses. + + + +Any configuration that breaks name resolution and/or browsing intrinsics +will annoy users because they will have to put up with protracted +inability to use the network services. + + + +Samba supports a feature that allows forced synchonisation +of browse lists across routed networks using the remote +browse sync parameter in the smb.conf file. +This causes Samba to contact the local master browser on a remote network and +to request browse list synchronisation. This effectively bridges +two networks that are separated by routers. The two remote +networks may use either broadcast based name resolution or WINS +based name resolution, but it should be noted that the remote +browse sync parameter provides browse list synchronisation - and +that is distinct from name to address resolution, in other +words, for cross subnet browsing to function correctly it is +essential that a name to address resolution mechanism be provided. +This mechanism could be via DNS, /etc/hosts, +and so on. + + + +Setting up Browsing in a WORKGROUP + + +To set up cross subnet browsing on a network containing machines +in up to be in a WORKGROUP, not an NT Domain you need to set up one +Samba server to be the Domain Master Browser (note that this is *NOT* +the same as a Primary Domain Controller, although in an NT Domain the +same machine plays both roles). The role of a Domain master browser is +to collate the browse lists from local master browsers on all the +subnets that have a machine participating in the workgroup. Without +one machine configured as a domain master browser each subnet would +be an isolated workgroup, unable to see any machines on any other +subnet. It is the presense of a domain master browser that makes +cross subnet browsing possible for a workgroup. + + + +In an WORKGROUP environment the domain master browser must be a +Samba server, and there must only be one domain master browser per +workgroup name. To set up a Samba server as a domain master browser, +set the following option in the [global] section of the &smb.conf; file : + + + + + domain master = yes + + + + +The domain master browser should also preferrably be the local master +browser for its own subnet. In order to achieve this set the following +options in the [global] section of the &smb.conf; file : + + + + + domain master = yes + local master = yes + preferred master = yes + os level = 65 + + + + +The domain master browser may be the same machine as the WINS +server, if you require. + + + +Next, you should ensure that each of the subnets contains a +machine that can act as a local master browser for the +workgroup. Any MS Windows NT/2K/XP/2003 machine should be +able to do this, as will Windows 9x machines (although these +tend to get rebooted more often, so it's not such a good idea +to use these). To make a Samba server a local master browser +set the following options in the [global] section of the +&smb.conf; file : + + + + + domain master = no + local master = yes + preferred master = yes + os level = 65 + + + + +Do not do this for more than one Samba server on each subnet, +or they will war with each other over which is to be the local +master browser. + + + +The local master parameter allows Samba to act as a +local master browser. The preferred master causes nmbd +to force a browser election on startup and the os level +parameter sets Samba high enough so that it should win any browser elections. + + + +If you have an NT machine on the subnet that you wish to +be the local master browser then you can disable Samba from +becoming a local master browser by setting the following +options in the [global] section of the +&smb.conf; file : + + + + + domain master = no + local master = no + preferred master = no + os level = 0 + + + + + + +Setting up Browsing in a DOMAIN + + +If you are adding Samba servers to a Windows NT Domain then +you must not set up a Samba server as a domain master browser. +By default, a Windows NT Primary Domain Controller for a Domain +name is also the Domain master browser for that name, and many +things will break if a Samba server registers the Domain master +browser NetBIOS name (DOMAIN<1B>) +with WINS instead of the PDC. + + + +For subnets other than the one containing the Windows NT PDC +you may set up Samba servers as local master browsers as +described. To make a Samba server a local master browser set +the following options in the [global] section +of the &smb.conf; file : + + + + + domain master = no + local master = yes + preferred master = yes + os level = 65 + + + + +If you wish to have a Samba server fight the election with machines +on the same subnet you may set the os level parameter +to lower levels. By doing this you can tune the order of machines that +will become local master browsers if they are running. For +more details on this see the section +Forcing samba to be the master browser +below. + + + +If you have Windows NT machines that are members of the domain +on all subnets, and you are sure they will always be running then +you can disable Samba from taking part in browser elections and +ever becoming a local master browser by setting following options +in the [global] section of the &smb.conf; +file : + + + + + domain master = no + local master = no + preferred master = no + os level = 0 + + + + + + +Forcing samba to be the master + + +Who becomes the master browser is determined by an election +process using broadcasts. Each election packet contains a number of parameters +which determine what precedence (bias) a host should have in the +election. By default Samba uses a very low precedence and thus loses +elections to just about anyone else. + + + +If you want Samba to win elections then just set the os level global +option in &smb.conf; to a higher number. It defaults to 0. Using 34 +would make it win all elections over every other system (except other +samba systems!) + + + +A os level of 2 would make it beat WfWg and Win95, but not MS Windows +NT/2K Server. A MS Windows NT/2K Server domain controller uses level 32. + + +The maximum os level is 255 + + +If you want samba to force an election on startup, then set the +preferred master global option in &smb.conf; to "yes". Samba will +then have a slight advantage over other potential master browsers +that are not preferred master browsers. Use this parameter with +care, as if you have two hosts (whether they are windows 95 or NT or +samba) on the same local subnet both set with preferred master to +"yes", then periodically and continually they will force an election +in order to become the local master browser. + + + +If you want samba to be a domain master browser, then it is +recommended that you also set preferred master to "yes", because +samba will not become a domain master browser for the whole of your +LAN or WAN if it is not also a local master browser on its own +broadcast isolated subnet. + + + +It is possible to configure two samba servers to attempt to become +the domain master browser for a domain. The first server that comes +up will be the domain master browser. All other samba servers will +attempt to become the domain master browser every 5 minutes. They +will find that another samba server is already the domain master +browser and will fail. This provides automatic redundancy, should +the current domain master browser fail. + + + + + +Making samba the domain master + + +The domain master is responsible for collating the browse lists of +multiple subnets so that browsing can occur between subnets. You can +make samba act as the domain master by setting domain master = yes +in &smb.conf;. By default it will not be a domain master. + + + +Note that you should NOT set Samba to be the domain master for a +workgroup that has the same name as an NT Domain. + + + +When samba is the domain master and the master browser it will listen +for master announcements (made roughly every twelve minutes) from local +master browsers on other subnets and then contact them to synchronise +browse lists. + + + +If you want samba to be the domain master then I suggest you also set +the os level high enough to make sure it wins elections, and set +preferred master to "yes", to get samba to force an election on +startup. + + + +Note that all your servers (including samba) and clients should be +using a WINS server to resolve NetBIOS names. If your clients are only +using broadcasting to resolve NetBIOS names, then two things will occur: + + + + + + your local master browsers will be unable to find a domain master + browser, as it will only be looking on the local subnet. + + + + + + if a client happens to get hold of a domain-wide browse list, and + a user attempts to access a host in that list, it will be unable to + resolve the NetBIOS name of that host. + + + + + +If, however, both samba and your clients are using a WINS server, then: + + + + + + your local master browsers will contact the WINS server and, as long as + samba has registered that it is a domain master browser with the WINS + server, your local master browser will receive samba's ip address + as its domain master browser. + + + + + + when a client receives a domain-wide browse list, and a user attempts + to access a host in that list, it will contact the WINS server to + resolve the NetBIOS name of that host. as long as that host has + registered its NetBIOS name with the same WINS server, the user will + be able to see that host. + + + + + + + +Note about broadcast addresses + + +If your network uses a "0" based broadcast address (for example if it +ends in a 0) then you will strike problems. Windows for Workgroups +does not seem to support a 0's broadcast and you will probably find +that browsing and name lookups won't work. + + + + +Multiple interfaces + + +Samba now supports machines with multiple network interfaces. If you +have multiple interfaces then you will need to use the interfaces +option in &smb.conf; to configure them. + + + +Use of the <command>Remote Announce</command> parameter + +The remote announce parameter of +smb.conf can be used to forcibly ensure +that all the NetBIOS names on a network get announced to a remote network. +The syntax of the remote announce parameter is: + + remote announce = a.b.c.d [e.f.g.h] ... + +_or_ + + remote announce = a.b.c.d/WORKGROUP [e.f.g.h/WORKGROUP] ... + + +where: + +a.b.c.d and +e.f.g.h +is either the LMB (Local Master Browser) IP address +or the broadcst address of the remote network. +ie: the LMB is at 192.168.1.10, or the address +could be given as 192.168.1.255 where the netmask +is assumed to be 24 bits (255.255.255.0). +When the remote announcement is made to the broadcast +address of the remote network every host will receive +our announcements. This is noisy and therefore +undesirable but may be necessary if we do NOT know +the IP address of the remote LMB. + + + +WORKGROUP +is optional and can be either our own workgroup +or that of the remote network. If you use the +workgroup name of the remote network then our +NetBIOS machine names will end up looking like +they belong to that workgroup, this may cause +name resolution problems and should be avoided. + + + + + + + + +Use of the <command>Remote Browse Sync</command> parameter + + +The remote browse sync parameter of +smb.conf is used to announce to +another LMB that it must synchronise it's NetBIOS name list with our +Samba LMB. It works ONLY if the Samba server that has this option is +simultaneously the LMB on it's network segment. + + + +The syntax of the remote browse sync parameter is: + + +remote browse sync = a.b.c.d + + +where a.b.c.d is either the IP address of the +remote LMB or else is the network broadcast address of the remote segment. + + + + + + + +WINS - The Windows Internetworking Name Server + + +Use of WINS (either Samba WINS _or_ MS Windows NT Server WINS) is highly +recommended. Every NetBIOS machine registers it's name together with a +name_type value for each of of several types of service it has available. +eg: It registers it's name directly as a unique (the type 0x03) name. +It also registers it's name if it is running the lanmanager compatible +server service (used to make shares and printers available to other users) +by registering the server (the type 0x20) name. + + + +All NetBIOS names are up to 15 characters in length. The name_type variable +is added to the end of the name - thus creating a 16 character name. Any +name that is shorter than 15 characters is padded with spaces to the 15th +character. ie: All NetBIOS names are 16 characters long (including the +name_type information). + + + +WINS can store these 16 character names as they get registered. A client +that wants to log onto the network can ask the WINS server for a list +of all names that have registered the NetLogon service name_type. This saves +broadcast traffic and greatly expedites logon processing. Since broadcast +name resolution can not be used across network segments this type of +information can only be provided via WINS _or_ via statically configured +lmhosts files that must reside on all clients in the +absence of WINS. + + + +WINS also serves the purpose of forcing browse list synchronisation by all +LMB's. LMB's must synchronise their browse list with the DMB (domain master +browser) and WINS helps the LMB to identify it's DMB. By definition this +will work only within a single workgroup. Note that the domain master browser +has NOTHING to do with what is referred to as an MS Windows NT Domain. The +later is a reference to a security environment while the DMB refers to the +master controller for browse list information only. + + + +Use of WINS will work correctly only if EVERY client TCP/IP protocol stack +has been configured to use the WINS server/s. Any client that has not been +configured to use the WINS server will continue to use only broadcast based +name registration so that WINS may NEVER get to know about it. In any case, +machines that have not registered with a WINS server will fail name to address +lookup attempts by other clients and will therefore cause workstation access +errors. + + + +To configure Samba as a WINS server just add +wins support = yes to the smb.conf +file [globals] section. + + + +To configure Samba to register with a WINS server just add +"wins server = a.b.c.d" to your smb.conf file [globals] section. + + + +Never use both wins support = yes together +with wins server = a.b.c.d +particularly not using it's own IP address. +Specifying both will cause &nmbd; to refuse to start! + + + +Setting up a WINS server + + +Either a Samba machine or a Windows NT Server machine may be set up +as a WINS server. To set a Samba machine to be a WINS server you must +add the following option to the &smb.conf; file on the selected machine : +in the [globals] section add the line + + + + + wins support = yes + + + + +Versions of Samba prior to 1.9.17 had this parameter default to +yes. If you have any older versions of Samba on your network it is +strongly suggested you upgrade to a recent version, or at the very +least set the parameter to 'no' on all these machines. + + + +Machines with wins support = yes will keep a list of +all NetBIOS names registered with them, acting as a DNS for NetBIOS names. + + + +You should set up only ONE wins server. Do NOT set the +wins support = yes option on more than one Samba +server. + + + +To set up a Windows NT Server as a WINS server you need to set up +the WINS service - see your NT documentation for details. Note that +Windows NT WINS Servers can replicate to each other, allowing more +than one to be set up in a complex subnet environment. As Microsoft +refuse to document these replication protocols Samba cannot currently +participate in these replications. It is possible in the future that +a Samba->Samba WINS replication protocol may be defined, in which +case more than one Samba machine could be set up as a WINS server +but currently only one Samba server should have the +wins support = yes parameter set. + + + +After the WINS server has been configured you must ensure that all +machines participating on the network are configured with the address +of this WINS server. If your WINS server is a Samba machine, fill in +the Samba machine IP address in the "Primary WINS Server" field of +the "Control Panel->Network->Protocols->TCP->WINS Server" dialogs +in Windows 95 or Windows NT. To tell a Samba server the IP address +of the WINS server add the following line to the [global] section of +all &smb.conf; files : + + + + + wins server = <name or IP address> + + + + +where >name or IP address< is either the DNS name of the WINS server +machine or its IP address. + + + +Note that this line MUST NOT BE SET in the &smb.conf; file of the Samba +server acting as the WINS server itself. If you set both the +wins support = yes option and the +wins server = <name> option then +nmbd will fail to start. + + + +There are two possible scenarios for setting up cross subnet browsing. +The first details setting up cross subnet browsing on a network containing +Windows 95, Samba and Windows NT machines that are not configured as +part of a Windows NT Domain. The second details setting up cross subnet +browsing on networks that contain NT Domains. + + + + + +WINS Replication + + +Samba-3 permits WINS replication through the use of the wrepld utility. +This tool is not currently capable of being used as it is still in active development. +As soon as this tool becomes moderately functional we will prepare man pages and enhance this +section of the documentation to provide usage and technical details. + + + + +Static WINS Entries + + +New to Samba-3 is a tool called winsedit that may be used to add +static WINS entries to the WINS database. This tool can be used also to modify entries +existing in the WINS database. + + + +The development of the winsedit tool was made necessary due to the migration +of the older style wins.dat file into a new tdb binary backend data store. + + + + + + +Helpful Hints + + +The following hints should be carefully considered as they are stumbling points +for many new network administrators. + + + +Windows Networking Protocols + + +Do NOT use more than one (1) protocol on MS Windows machines + + + +A very common cause of browsing problems results from installing more than +one protocol on an MS Windows machine. + + + +Every NetBIOS machine takes part in a process of electing the LMB (and DMB) +every 15 minutes. A set of election criteria is used to determine the order +of precidence for winning this election process. A machine running Samba or +Windows NT will be biased so that the most suitable machine will predictably +win and thus retain it's role. + + + +The election process is "fought out" so to speak over every NetBIOS network +interface. In the case of a Windows 9x machine that has both TCP/IP and IPX +installed and has NetBIOS enabled over both protocols the election will be +decided over both protocols. As often happens, if the Windows 9x machine is +the only one with both protocols then the LMB may be won on the NetBIOS +interface over the IPX protocol. Samba will then lose the LMB role as Windows +9x will insist it knows who the LMB is. Samba will then cease to function +as an LMB and thus browse list operation on all TCP/IP only machines will +fail. + + + +Windows 95, 98, 98se, Me are referred to generically as Windows 9x. +The Windows NT4, 2000, XP and 2003 use common protocols. These are roughly +referred to as the WinNT family, but it should be recognised that 2000 and +XP/2003 introduce new protocol extensions that cause them to behave +differently from MS Windows NT4. Generally, where a server does NOT support +the newer or extended protocol, these will fall back to the NT4 protocols. + + + +The safest rule of all to follow it this - USE ONLY ONE PROTOCOL! + + + + + +Name Resolution Order + + +Resolution of NetBIOS names to IP addresses can take place using a number +of methods. The only ones that can provide NetBIOS name_type information +are: + + + WINS: the best tool! + LMHOSTS: is static and hard to maintain. + Broadcast: uses UDP and can not resolve names across remote segments. + + + +Alternative means of name resolution includes: + +/etc/hosts: is static, hard to maintain, and lacks name_type info +DNS: is a good choice but lacks essential name_type info. + + + +Many sites want to restrict DNS lookups and want to avoid broadcast name +resolution traffic. The "name resolve order" parameter is of great help here. +The syntax of the "name resolve order" parameter is: + +name resolve order = wins lmhosts bcast host + +_or_ + +name resolve order = wins lmhosts (eliminates bcast and host) + +The default is: + +name resolve order = host lmhost wins bcast +. +where "host" refers the the native methods used by the Unix system +to implement the gethostbyname() function call. This is normally +controlled by /etc/host.conf, /etc/nsswitch.conf and /etc/resolv.conf. + + + + + +Technical Overview of browsing + + +SMB networking provides a mechanism by which clients can access a list +of machines in a network, a so-called browse list. This list +contains machines that are ready to offer file and/or print services +to other machines within the network. Thus it does not include +machines which aren't currently able to do server tasks. The browse +list is heavily used by all SMB clients. Configuration of SMB +browsing has been problematic for some Samba users, hence this +document. + + + +MS Windows 2000 and later, as with Samba 3 and later, can be +configured to not use NetBIOS over TCP/IP. When configured this way +it is imperative that name resolution (using DNS/LDAP/ADS) be correctly +configured and operative. Browsing will NOT work if name resolution +from SMB machine names to IP addresses does not function correctly. + + + +Where NetBIOS over TCP/IP is enabled use of a WINS server is highly +recommended to aid the resolution of NetBIOS (SMB) names to IP addresses. +WINS allows remote segment clients to obtain NetBIOS name_type information +that can NOT be provided by any other means of name resolution. + + + +Browsing support in samba + + +Samba facilitates browsing. The browsing is supported by &nmbd; +and is also controlled by options in the &smb.conf; file. +Samba can act as a local browse master for a workgroup and the ability +for samba to support domain logons and scripts is now available. + + + +Samba can also act as a domain master browser for a workgroup. This +means that it will collate lists from local browse masters into a +wide area network server list. In order for browse clients to +resolve the names they may find in this list, it is recommended that +both samba and your clients use a WINS server. + + + +Note that you should NOT set Samba to be the domain master for a +workgroup that has the same name as an NT Domain: on each wide area +network, you must only ever have one domain master browser per workgroup, +regardless of whether it is NT, Samba or any other type of domain master +that is providing this service. + + + +Nmbd can be configured as a WINS server, but it is not +necessary to specifically use samba as your WINS server. MS Windows +NT4, Server or Advanced Server 2000 or 2003 can be configured as +your WINS server. In a mixed NT/2000/2003 server and samba environment on +a Wide Area Network, it is recommended that you use the Microsoft +WINS server capabilities. In a samba-only environment, it is +recommended that you use one and only one Samba server as your WINS server. + + + +To get browsing to work you need to run nmbd as usual, but will need +to use the workgroup option in &smb.conf; +to control what workgroup Samba becomes a part of. + + + +Samba also has a useful option for a Samba server to offer itself for +browsing on another subnet. It is recommended that this option is only +used for 'unusual' purposes: announcements over the internet, for +example. See remote announce in the +&smb.conf; man page. + + + + +Problem resolution + + +If something doesn't work then hopefully the log.nmb file will help +you track down the problem. Try a debug level of 2 or 3 for finding +problems. Also note that the current browse list usually gets stored +in text form in a file called browse.dat. + + + +Note that if it doesn't work for you, then you should still be able to +type the server name as \\SERVER in filemanager then +hit enter and filemanager should display the list of available shares. + + + +Some people find browsing fails because they don't have the global +guest account set to a valid account. Remember that the +IPC$ connection that lists the shares is done as guest, and thus you must +have a valid guest account. + + + +MS Windows 2000 and upwards (as with Samba) can be configured to disallow +anonymous (ie: Guest account) access to the IPC$ share. In that case, the +MS Windows 2000/XP/2003 machine acting as an SMB/CIFS client will use the +name of the currently logged in user to query the IPC$ share. MS Windows +9X clients are not able to do this and thus will NOT be able to browse +server resources. + + + +The other big problem people have is that their broadcast address, +netmask or IP address is wrong (specified with the "interfaces" option +in &smb.conf;) + + + + +Browsing across subnets + +Since the release of Samba 1.9.17(alpha1) Samba has been +updated to enable it to support the replication of browse lists +across subnet boundaries. New code and options have been added to +achieve this. This section describes how to set this feature up +in different settings. + + + +To see browse lists that span TCP/IP subnets (ie. networks separated +by routers that don't pass broadcast traffic) you must set up at least +one WINS server. The WINS server acts as a DNS for NetBIOS names, allowing +NetBIOS name to IP address translation to be done by doing a direct +query of the WINS server. This is done via a directed UDP packet on +port 137 to the WINS server machine. The reason for a WINS server is +that by default, all NetBIOS name to IP address translation is done +by broadcasts from the querying machine. This means that machines +on one subnet will not be able to resolve the names of machines on +another subnet without using a WINS server. + + + +Remember, for browsing across subnets to work correctly, all machines, +be they Windows 95, Windows NT, or Samba servers must have the IP address +of a WINS server given to them by a DHCP server, or by manual configuration +(for Win95 and WinNT, this is in the TCP/IP Properties, under Network +settings) for Samba this is in the &smb.conf; file. + + + +How does cross subnet browsing work ? + + +Cross subnet browsing is a complicated dance, containing multiple +moving parts. It has taken Microsoft several years to get the code +that achieves this correct, and Samba lags behind in some areas. +Samba is capable of cross subnet browsing when configured correctly. + + + +Consider a network set up as follows : + + + + + (DMB) + N1_A N1_B N1_C N1_D N1_E + | | | | | + ------------------------------------------------------- + | subnet 1 | + +---+ +---+ + |R1 | Router 1 Router 2 |R2 | + +---+ +---+ + | | + | subnet 2 subnet 3 | + -------------------------- ------------------------------------ + | | | | | | | | + N2_A N2_B N2_C N2_D N3_A N3_B N3_C N3_D + (WINS) + + + + +Consisting of 3 subnets (1, 2, 3) connected by two routers +(R1, R2) - these do not pass broadcasts. Subnet 1 has 5 machines +on it, subnet 2 has 4 machines, subnet 3 has 4 machines. Assume +for the moment that all these machines are configured to be in the +same workgroup (for simplicities sake). Machine N1_C on subnet 1 +is configured as Domain Master Browser (ie. it will collate the +browse lists for the workgroup). Machine N2_D is configured as +WINS server and all the other machines are configured to register +their NetBIOS names with it. + + + +As all these machines are booted up, elections for master browsers +will take place on each of the three subnets. Assume that machine +N1_C wins on subnet 1, N2_B wins on subnet 2, and N3_D wins on +subnet 3 - these machines are known as local master browsers for +their particular subnet. N1_C has an advantage in winning as the +local master browser on subnet 1 as it is set up as Domain Master +Browser. + + + +On each of the three networks, machines that are configured to +offer sharing services will broadcast that they are offering +these services. The local master browser on each subnet will +receive these broadcasts and keep a record of the fact that +the machine is offering a service. This list of records is +the basis of the browse list. For this case, assume that +all the machines are configured to offer services so all machines +will be on the browse list. + + + +For each network, the local master browser on that network is +considered 'authoritative' for all the names it receives via +local broadcast. This is because a machine seen by the local +master browser via a local broadcast must be on the same +network as the local master browser and thus is a 'trusted' +and 'verifiable' resource. Machines on other networks that +the local master browsers learn about when collating their +browse lists have not been directly seen - these records are +called 'non-authoritative'. + + + +At this point the browse lists look as follows (these are +the machines you would see in your network neighborhood if +you looked in it on a particular network right now). + + + + +Subnet Browse Master List +------ ------------- ---- +Subnet1 N1_C N1_A, N1_B, N1_C, N1_D, N1_E + +Subnet2 N2_B N2_A, N2_B, N2_C, N2_D + +Subnet3 N3_D N3_A, N3_B, N3_C, N3_D + + + + +Note that at this point all the subnets are separate, no +machine is seen across any of the subnets. + + + +Now examine subnet 2. As soon as N2_B has become the local +master browser it looks for a Domain master browser to synchronize +its browse list with. It does this by querying the WINS server +(N2_D) for the IP address associated with the NetBIOS name +WORKGROUP>1B<. This name was registerd by the Domain master +browser (N1_C) with the WINS server as soon as it was booted. + + + +Once N2_B knows the address of the Domain master browser it +tells it that is the local master browser for subnet 2 by +sending a MasterAnnouncement packet as a UDP port 138 packet. +It then synchronizes with it by doing a NetServerEnum2 call. This +tells the Domain Master Browser to send it all the server +names it knows about. Once the domain master browser receives +the MasterAnnouncement packet it schedules a synchronization +request to the sender of that packet. After both synchronizations +are done the browse lists look like : + + + + +Subnet Browse Master List +------ ------------- ---- +Subnet1 N1_C N1_A, N1_B, N1_C, N1_D, N1_E, + N2_A(*), N2_B(*), N2_C(*), N2_D(*) + +Subnet2 N2_B N2_A, N2_B, N2_C, N2_D + N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*) + +Subnet3 N3_D N3_A, N3_B, N3_C, N3_D + +Servers with a (*) after them are non-authoritative names. + + + + +At this point users looking in their network neighborhood on +subnets 1 or 2 will see all the servers on both, users on +subnet 3 will still only see the servers on their own subnet. + + + +The same sequence of events that occured for N2_B now occurs +for the local master browser on subnet 3 (N3_D). When it +synchronizes browse lists with the domain master browser (N1_A) +it gets both the server entries on subnet 1, and those on +subnet 2. After N3_D has synchronized with N1_C and vica-versa +the browse lists look like. + + + + +Subnet Browse Master List +------ ------------- ---- +Subnet1 N1_C N1_A, N1_B, N1_C, N1_D, N1_E, + N2_A(*), N2_B(*), N2_C(*), N2_D(*), + N3_A(*), N3_B(*), N3_C(*), N3_D(*) + +Subnet2 N2_B N2_A, N2_B, N2_C, N2_D + N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*) + +Subnet3 N3_D N3_A, N3_B, N3_C, N3_D + N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*), + N2_A(*), N2_B(*), N2_C(*), N2_D(*) + +Servers with a (*) after them are non-authoritative names. + + + + +At this point users looking in their network neighborhood on +subnets 1 or 3 will see all the servers on all sunbets, users on +subnet 2 will still only see the servers on subnets 1 and 2, but not 3. + + + +Finally, the local master browser for subnet 2 (N2_B) will sync again +with the domain master browser (N1_C) and will recieve the missing +server entries. Finally - and as a steady state (if no machines +are removed or shut off) the browse lists will look like : + + + + +Subnet Browse Master List +------ ------------- ---- +Subnet1 N1_C N1_A, N1_B, N1_C, N1_D, N1_E, + N2_A(*), N2_B(*), N2_C(*), N2_D(*), + N3_A(*), N3_B(*), N3_C(*), N3_D(*) + +Subnet2 N2_B N2_A, N2_B, N2_C, N2_D + N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*) + N3_A(*), N3_B(*), N3_C(*), N3_D(*) + +Subnet3 N3_D N3_A, N3_B, N3_C, N3_D + N1_A(*), N1_B(*), N1_C(*), N1_D(*), N1_E(*), + N2_A(*), N2_B(*), N2_C(*), N2_D(*) + +Servers with a (*) after them are non-authoritative names. + + + + +Synchronizations between the domain master browser and local +master browsers will continue to occur, but this should be a +steady state situation. + + + +If either router R1 or R2 fails the following will occur: + + + + + + Names of computers on each side of the inaccessible network fragments + will be maintained for as long as 36 minutes, in the network neighbourhood + lists. + + + + + + Attempts to connect to these inaccessible computers will fail, but the + names will not be removed from the network neighbourhood lists. + + + + + + If one of the fragments is cut off from the WINS server, it will only + be able to access servers on its local subnet, by using subnet-isolated + broadcast NetBIOS name resolution. The effects are similar to that of + losing access to a DNS server. + + + + + + + + diff --git a/docs/docbook/projdoc/samba-doc.sgml b/docs/docbook/projdoc/samba-doc.sgml index a0fc27fcb0..5c3793a1ba 100644 --- a/docs/docbook/projdoc/samba-doc.sgml +++ b/docs/docbook/projdoc/samba-doc.sgml @@ -50,7 +50,7 @@ PLEASE read this. &IntroSMB; &UNIX-INSTALL; -&BROWSING-Quick; +&NetworkBrowsing; &Passdb; @@ -90,7 +90,6 @@ for various environments. &VFS; &MS-Dfs-Setup; &IntegratingWithWindows; -&BROWSING; &SecuringSamba; &unicode; &locking; -- cgit From 2dfd0555143fc21a3cb877d4a62acc787c817f59 Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Mon, 21 Apr 2003 22:21:37 +0000 Subject: Updates. (This used to be commit 27eafbec10ae82eb686a7326f23e2ad9de2369dd) --- docs/docbook/projdoc/NT4Migration.sgml | 19 ++++++------ docs/docbook/projdoc/NetworkBrowsing.sgml | 10 +++--- docs/docbook/projdoc/SWAT.sgml | 36 ++++++++++++++++++++-- docs/docbook/projdoc/samba-doc.sgml | 51 ++++++++++++++++++++----------- 4 files changed, 80 insertions(+), 36 deletions(-) (limited to 'docs/docbook') diff --git a/docs/docbook/projdoc/NT4Migration.sgml b/docs/docbook/projdoc/NT4Migration.sgml index 84719b9a94..60d9f121f4 100644 --- a/docs/docbook/projdoc/NT4Migration.sgml +++ b/docs/docbook/projdoc/NT4Migration.sgml @@ -445,9 +445,10 @@ Authentication database back end Winbind (external Samba or NT4/200x server) Can use pam_mkhomedir.so to auto-create home dirs External server could use Active Directory or NT4 Domain + Database type smbpasswd, tdbsam, ldapsam, MySQLsam - With local accounts or with No Unix Accounts (NUA option) + Access Control Points On the Share itself (Use NT4 Server Manager) On the file system @@ -455,19 +456,24 @@ Access Control Points Posix ACLs enablement in file system? Through Samba share parameters Not recommended - except as only resort + Policies (migrate or create new ones) Group Policy Editor (NT4) Watch out for Tattoo effect + User and Group Profiles Platform specific so use platform tool to change from a Local to a Roaming profile Can use new profiles tool to change SIDs (NTUser.DAT) + Logon Scripts (Know how they work) + User and Group mapping to Unix/Linux username map facility may be needed Use smbgroupedit to connect NT4 groups to Unix groups Use pdbedit to set/change user configuration NOTE: If migrating to LDAP back end it may be easier to dump initial LDAP database to LDIF, then edit, then reload into LDAP + OS specific scripts / programs may be needed Add / delete Users Note OS limits on size of name (Linux 8 chars) @@ -481,23 +487,16 @@ If migrating to LDAP back end it may be easier to dump initial LDAP database to Migration Tools Domain Control (NT4 Style) Profiles, Policies, Access Controls, Security + Migration Tools Samba: net, rpcclient, smbpasswd, pdbedit, smbgroupedit, profiles Windows: NT4 Domain User Manager, Server Manager (NEXUS) + Authentication New SAM back end (smbpasswd, tdbsam, ldapsam, mysqlsam) - With of without Unix Accounts (NUA) - -Managing Samba-3 Domain Control - - -Lots of blah blah here. - - - diff --git a/docs/docbook/projdoc/NetworkBrowsing.sgml b/docs/docbook/projdoc/NetworkBrowsing.sgml index c4b6a07777..7743cb9c75 100644 --- a/docs/docbook/projdoc/NetworkBrowsing.sgml +++ b/docs/docbook/projdoc/NetworkBrowsing.sgml @@ -2,7 +2,7 @@ &author.jht; July 5, 1998 - Updated: March 15, 2003 + Updated: April 21, 2003 Samba / MS Windows Network Browsing Guide @@ -220,7 +220,7 @@ and so on. -Setting up Browsing in a WORKGROUP +Setting up WORKGROUP Browsing To set up cross subnet browsing on a network containing machines @@ -322,7 +322,7 @@ options in the [global] section of the -Setting up Browsing in a DOMAIN +Setting up DOMAIN Browsing If you are adding Samba servers to a Windows NT Domain then @@ -743,7 +743,7 @@ all &smb.conf; files : -where >name or IP address< is either the DNS name of the WINS server +where <name or IP address> is either the DNS name of the WINS server machine or its IP address. @@ -1147,7 +1147,7 @@ Now examine subnet 2. As soon as N2_B has become the local master browser it looks for a Domain master browser to synchronize its browse list with. It does this by querying the WINS server (N2_D) for the IP address associated with the NetBIOS name -WORKGROUP>1B<. This name was registerd by the Domain master +WORKGROUP<1B>. This name was registerd by the Domain master browser (N1_C) with the WINS server as soon as it was booted. diff --git a/docs/docbook/projdoc/SWAT.sgml b/docs/docbook/projdoc/SWAT.sgml index 7326a49874..ad43fd7b8a 100644 --- a/docs/docbook/projdoc/SWAT.sgml +++ b/docs/docbook/projdoc/SWAT.sgml @@ -1,19 +1,49 @@ &author.jht; - April 3, 2003 + April 21, 2003 SWAT - The Samba Web Admininistration Tool -This is a rough guide to SWAT. +There are many and varied opinions regarding the usefulness or otherwise of SWAT. +No matter how hard one tries to produce the perfect configuration tool it remains +an object of personal taste. SWAT is a tool that will allow web based configuration +of samba. It has a wizard that may help to get samba configured quickly, it has context +sensitive help on each smb.conf parameter, it provides for monitoring of current state +of connection information, and it allows network wide MS Windows network password +management. SWAT Features and Benefits -You must use at least the following ... + +There are network administrators who believe that it is a good idea to write systems +documentation inside configuration files, for them SWAT will aways be a nasty tool. SWAT +does not store the configuration file in any intermediate form, rather, it stores only the +parameter settings, so when SWAT writes the smb.conf file to disk it will write only +those parameters that are at other than the default settings. The result is that all comments +will be lost from the smb.conf file. Additionally, the parameters will be written back in +internal ordering. + + + +So before using SWAT please be warned - SWAT will completely replace your smb.conf with +a fully optimised file that has been stripped of all comments you might have placed there +and only non-default settings will be written to the file. + + + +SWAT should be installed to run via the network super daemon. Depending on which system +your Unix/Linux system has you will have either an inetd or +xinetd based system. + + + +The nature and location of the network super + The SWAT Home Page diff --git a/docs/docbook/projdoc/samba-doc.sgml b/docs/docbook/projdoc/samba-doc.sgml index 5c3793a1ba..6048d60e5f 100644 --- a/docs/docbook/projdoc/samba-doc.sgml +++ b/docs/docbook/projdoc/samba-doc.sgml @@ -14,17 +14,29 @@ &person.jht; &person.jerry; - Sunday 6 April + Monday April 21, 2003 This book is a collection of HOWTOs added to Samba documentation over the years. -Samba is always under development, and so is it's documentation. -The most recent version of this document -can be found at http://www.samba.org/ -on the "Documentation" page. Please send updates to jerry@samba.org or -jelmer@samba.org. +Samba is always under development, and so is it's documentation. This release of the +documentation represents a major revision or layout as well as contents. +The most recent version of this document can be found at +http://www.samba.org/ +on the "Documentation" page. Please send updates to +jelmer@samba.org, +jht@samba.org or +jerry@samba.org. + + + +The Samba-Team would like to express sincere thanks to the many people who have with +or without their knwoledge contributed to this update. The size and scope of this +project would not have been possible without significant community contribution. A not +insignificant number of ideas for inclusion (if not content itself) has been obtained +from a number of Unofficial HOWTOs - to each such author a big "Thank-you" is also offered. +Please keep publishing you Unofficial HOWTO's - they are a source of inspiration and +application knowledge that is most to be desired by may Samba users and administrators. @@ -41,26 +53,25 @@ url="http://www.fsf.org/licenses/gpl.txt">http://www.fsf.org/licenses/gpl.txt -General installation +General Installation -Introduction -This part contains general info on how to install samba +Preparing Samba for Configuration +This section of the Samba-HOWTO-Collection contains general info on how to install samba and how to configure the parts of samba you will most likely need. PLEASE read this. &IntroSMB; &UNIX-INSTALL; -&NetworkBrowsing; -&Passdb; -Type of installation +Server Configuration Basics -Introduction +First Steps in Server Configuration -Samba can operate in various SMB networks. This part contains information on configuring samba -for various environments. +Samba can operate in various modes within SMB networks. This HOWTO section contains information on +configuring samba to function as the type of server your network requires. Please read this +section carefully. &ServerType; @@ -74,9 +85,13 @@ for various environments. Advanced Configuration -Introduction -Samba has several features that you might want or might not want to use. The chapters in this part each cover one specific feature. +Valuable Nuts and Bolts Information + +Samba has several features that you might want or might not want to use. The chapters in this part each cover specific Samba features. + +&NetworkBrowsing; +&Passdb; &NT-Security; &GROUP-MAPPING-HOWTO; &PRINTER-DRIVER2; -- cgit